DCOM FUD: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
DCOM FUD Caused by KB5004442
Applies to Windows domain controllers that are setup as "Certification Authority" that are being used from domain connected workstations to perform user self enrollment to generate certificates for PIV smart cards. PIV smart cards are used to authenticate and logon.
While setting up a DCOM application such as certificate enrollment services between workstations and servers, all running modern operating systems such as Windows Server 2022 and Windows 10, you start to see DCOM failures. And you see error 10036 in the system log.
10036 | "The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." (%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address) |
This is a real error message from the test environment.
The server-side authentication level policy does not allow the user LETSGO\brandon SID (S-1-5-21-3789395989-1410218113-2000832445-1104) from address 192.168.99.143 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
You will also see error 10037 and 10038 in the event log.
The Solution is to set the "Default Authentification Level" on both client and server. From the Control Panel -> Administrative Tools -> Component Services
And set the "Launch and Activation Permissions" very permissively
Also check out the windows firewall on the certificate server and make sure that the DCOM, COM+, key distribution, WMI are all allowed.
Comments
Post a Comment