topic Re: AD-query failed with Microsoft Windows Server 2022 in Firewall and Security Management

AD-query failed with Microsoft Windows Server 2022

Wolfgang — Mon, 22 Nov 2021 07:55:01 GMT

Hello CheckMates,

with Windows Server 2022 Microsoft changed the default behaviour of the RPC authentication level.

Following this AD-query failed (remote login not possible, access roles not enforced etc.) Available in the knowledgebase is this article

Check Point response to CVE-2021-26414 - "Windows DCOM Server Security Feature Bypass"

There is a steatment "Check Point R&D is working on a permanent solution for this issue."

Any solutions for this problem or a timeline when available?

Wolfgang

Re: AD-query failed with Microsoft Windows Server 2022

_Val_ — Mon, 22 Nov 2021 08:57:25 GMT

There is a workaround in the case. Did you see the link to the MS article in the comments?

Re: AD-query failed with Microsoft Windows Server 2022

Wolfgang — Mon, 22 Nov 2021 09:19:12 GMT

@_Val_ yes, I see. But the solution is to lowering the security on the Microsoft site. I know identity collector is the better solution but at the moment we are using only AD-query.

Re: AD-query failed with Microsoft Windows Server 2022

JeanMarc_C — Fri, 26 Nov 2021 09:12:09 GMT

Are you sure the workaround works on server 2022 as well and not only on previous versions having the update for CVE-2021-26414 ? The MS kb article states that the workaround will not be possible anymore in some times and server 2022 is not listed. So possibly server 2022 is already in this state.

Re: AD-query failed with Microsoft Windows Server 2022

Wolfgang — Fri, 26 Nov 2021 14:28:23 GMT

@JeanMarc_C yes you're right. With 2022 this does not work. We tried this but AD query was failing again. Reading again Microsofts knowledgebase article let us realize that it's not supported with 2022 (same as you mentioned). I forgot about it to post here. The solution is to switch to Identity Collector.

There should be a hint in the documentation that AD query does no more work with domain controller on Microsoft Server 2022.

Re: AD-query failed with Microsoft Windows Server 2022

JozkoMrkvicka — Fri, 26 Nov 2021 23:12:34 GMT

AD query on Microsoft Server 2022 wont never work or till Check Point will release the fix?

Re: AD-query failed with Microsoft Windows Server 2022

Wolfgang — Sat, 27 Nov 2021 19:02:10 GMT

Looks like you have to install KB5005619 on Microsoft server 2022 and then you can set the mentioned registry value to disabled. But after Q2 2022 this will be no more available. Have a look at the timeline in KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

@_Val_ please would you check internal regarding AD query and Microsoft Windows server 2022.

Re: AD-query failed with Microsoft Windows Server 2022

Royi_Priov — Sun, 28 Nov 2021 07:59:35 GMT

Hi @Wolfgang,

Unfortunately, there is no simple fix here to adjust AD Query to work with this security enhancement.

We are still investigating the amount of effort needed here, but I can say it will not take few weeks.

As the SK stated, this is a problem which only AD Query suffers from, and Identity Collector which uses different method for acquiring identities works with no change.

I will revise the SK with the needed info raised on this thread - thanks for sharing.

Re: AD-query failed with Microsoft Windows Server 2022

_Val_ — Mon, 29 Nov 2021 09:25:10 GMT

Thanks Royi, we appreciate the transparency.

Re: AD-query failed with Microsoft Windows Server 2022

SGInfra — Wed, 01 Dec 2021 14:30:30 GMT

Hello,

What solution or workaround would be for Gaia Embedded devices (15xx Appliances)? those don't have option to use Identity Collector.

Thanks,

Raitis Robeznieks

Re: AD-query failed with Microsoft Windows Server 2022

PhoneBoy — Wed, 01 Dec 2021 16:35:48 GMT

Share identities from a gateway that can.
This could even be a two-core VM off to the side running regular Gaia.

Re: AD-query failed with Microsoft Windows Server 2022

JeanMarc_C — Fri, 03 Dec 2021 08:36:22 GMT

I had a ticket with support for this, and there is an ETA to support server 2022 and the security strengthening according the MS KB for end of January 2022. In the meantime workaround or solution is to work with Identity collector (which is better than AD query), share identities between gateways, or use Identity Agent.

It is however not 100% clear if AD 2022 with the registry key change according MS KB is meant to work or not. In my case, on embedded R77.20, it does not work but change the status of the AD from "internal error" to "bad credential".

Re: AD-query failed with Microsoft Windows Server 2022

SGInfra — Fri, 03 Dec 2021 16:41:32 GMT

Thank You, PhoneBoy for your suggestion.

I have disabled AD Query for all embedded devices, and enabled them to get shared identities from those appliances, that use ID Collector.

Will see, how this will work. I was afraid, that using ID Sharing Identities will not work, it requests/traffic is not processed through GW, that is Identity source. (for example on-site local traffic between separated interfaces/subnets).

Best Regards,

Raitis

Re: AD-query failed with Microsoft Windows Server 2022

Royi_Priov — Mon, 06 Dec 2021 13:59:22 GMT

Hi Raitis, @SGInfra

Identity Sharing mechanism will allow more efficient way to save identities. For example, gateway which handle traffic for specific subnets, will get the identities which are part of this subnet only. This design allows each gateway to receive the needed identities only, and not process unneeded sessions.

Re: AD-query failed with Microsoft Windows Server 2022

SGInfra — Thu, 09 Dec 2021 11:47:15 GMT

Hi, Royi_Priov, and Thanks for Your advice.

Solution with Shared identities Works fine.

In our topology we have 4 GW running regular Gaia and 6 Gaia embedded appliances.

One of Regular Gaia is central GW for all other devices (sites) in star Community VPN.

I have pointed each Embedded device, to get shared Identities form Central GW and one other Regular Gaia device, that is related (As parrent) site for that branch.

Thanks also to PhoneBoy for provided solution.

B.R.

Raitis

Re: AD-query failed with Microsoft Windows Server 2022

BeaconBits — Thu, 09 Dec 2021 17:09:38 GMT

@Royi_Priov,, Has SK been revised and updated?

Thanks!

Re: AD-query failed with Microsoft Windows Server 2022

Royi_Priov — Sun, 12 Dec 2021 12:49:30 GMT

@BeaconBits, yes:

To work without any functionality issues, follow the procedure in this Microsoft article:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
A fix might be needed to apply this procedure, please check "Availability" section in the above article.

Re: AD-query failed with Microsoft Windows Server 2022

David_Herselman — Tue, 14 Dec 2021 09:04:28 GMT

The method of setting the registry key unfortunately makes no difference on an up to date Windows 2022 AD server. Herewith the registry entry we set:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
"RequireIntegrityActivationAuthenticationLevel"=dword:00000000

Hoping R&D can provide a fix that remediates this problem, what's happened in the 6 months since Microsoft raised awareness of this upcoming change?

Perhaps developers could look to see how other libraries (eg Samba) handle the requirement?

PS: We are running R81 with NTLMv2, LDAPS and Kerberos encryption type aes256-cts-hmac-sha1-96.

Re: AD-query failed with Microsoft Windows Server 2022

Enyi_Ajoku — Wed, 19 Jan 2022 16:11:54 GMT

@Royi_Priov do you have an update to this yet?

Re: AD-query failed with Microsoft Windows Server 2022

MikeB — Tue, 15 Feb 2022 00:17:07 GMT

So, SMB clients with just Quantum Spark appliances also need to buy and maintain a license for VM GAIA just for this task? I have not heard of any other vendor with this problem and forcing you to purchase additional licenses for a feature you are supposed to have already paid for. This is not good