-
Title
WMI RPC_C_AUTHN_LEVEL_PKT_INTEGRITY errors in Event Viewer of a Windows Server 2019 -
Description
When Rapid Recovery fails to complete any of the following:
- Adding a Windows Server 2019 server to protection,
- Adding a WS2019 Hyper-V host for agentless protection,
- When executing a Virtual Export/Standby to Hyper-V hosts
- When validating credentials to have access to a SQL DB instance the metadata with show errors similar to:
'Cannot obtain access to a remote machine 'servername'
This error could be caused by one of the following:
- The user name or password is incorrect.
- The specified user does not have administrator privileges on the remote machine.
- The specified user does not have access to the remote machine via Windows Management Instrumentation.'"
The "Remote Procedure Call (RPC)" service is not running on the local machine.
This error could be caused by one of the following:
- RPC service is down
- RPC service failed after initialization.
WMI query: SELECT Name FROM Win32_PageFileUsage -namespace root\cimv2
System.Runtime.InteropServices.COMException depth 0: The RPC server is unavailable.
Also, when viewing repeated messages in the Event Viewer for Windows 2019 server
Source: Microsoft-Windows-DistributedCOM
ID: 10036
Description: The server-side authentication level policy does not allow the user DOMAIN\USERID SID (DOMAIN\USERID) from address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application. -
Cause
The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects using remote procedure calls (RPCs). DCOM is used for communication between the software components of networked devices. Hardening changes in DCOM were required for CVE-2021-26414. -
Resolution
Windows Registry Disclaimer:
Quest does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.
Windows registry for advanced users - Windows Server | Microsoft Docs
You can deactivate the hardening changes via the registry (this is not a long-term solution) as described in Microsoft Knowledgebase article:
Registry setting to enable or disable the hardening changesDuring the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:
-
Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
-
Value Name: "RequireIntegrityActivationAuthenticationLevel"
-
Type: dword
-
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.
Note You must enter Value Data in hexadecimal format.
Important You must restart your device after setting this registry key for it to take effect.
Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation. This does not affect anonymous activation (activation using authentication level RPC_C_AUTHN_LEVEL_NONE). If the DCOM server allows anonymous activation, it will still be allowed even with DCOM hardening changes are enabled.
Note This registry value does not exist by default; you must create it. Windows will read it if it exists and will not overwrite it.
Note Installation of later updates will neither change nor remove existing registry entries and settings.
-