check_wmi_plus.pl
Posted: Thu Sep 30, 2021 8:09 am
This might be a longshot, but here goes.
We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.
We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?
Here is what we got back from Microsoft.
> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.
> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.
> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).
> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.
> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.
> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs
Thanks in advance
We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.
We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?
Here is what we got back from Microsoft.
> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.
> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.
> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).
> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.
> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.
> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs
Thanks in advance