MX AD integration broke after Windows updates

TEAM-ind
Getting noticed

MX AD integration broke after Windows updates

I have AD integration configured for several years.  I use it for both content filtering policies and VPN authentication.

 

The AD servers are Server 2012 R2 domain controllers.  I noticed two of then were producing tls errors in the dashboard.

 

When I looked at the server, I see DCOM error Event ID 10036:

 

The server-side authentication level policy does not allow the user <domain admin account> SID (S-1-5-21-71189414-624380436-382417117-21771) from address <MX IP Address> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

 

Meraki stated the issue is with Microsoft Security and provided this link:

 

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-...

 

I did not have success with the reg hack the article references, so I again asked support for help.

 

I received this from Meraki Support:

 

"After talking to our development team it looks like there is an update in the works for the AD integration but there is no current ETA on when that will be released. In the meantime, we suggest updating the registry key outlined in the following article by Microsoft."

https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-for...

 

Has anyone else seen this issue with an MX an AD integration?

 

 

 

 

3 Replies 3
EMAT-Dave
New here

Yes, you are not alone in this issue.

 

I first raised the issue with MXs and AD integration being broken after upgrading our dc's to server 2022 in October 2021, 4 months on and every time I check in on the ticket with Meraki, I get the same response you do. There is no resolve date in sight for this issue, and Meraki don't seem to want to fix it or actually work with Microsoft on a solution, although in their defence, neither do any other security vendors with the same problem.

 

I've had to force all our users (8 sites and 8 MX's) to use a default very restrictive filtering policy, which is going down really well with the 6000 end users we have, as you can imagine. Seriously considering selling our MX firewalls and using a smoothwall appliance with agent based attribute reading for auth instead. A step backwards by about 10 years, but at least it works and can be trusted to work consistently. 

 

I could say what I'm thinking about the helpful Meraki support teams regarding this matter, but it'll probably just be taken down.

TEAM-ind
Getting noticed

Thanks for sharing your experience.  It is nice to know I am not the only one.  I assume Cisco has no incentive to resolve the issue as they would like to have customers buy Umbrella, as well.

Kazuokei
Here to help
Get notified when there are additional replies to this discussion.