Event ID 10036 error

[davide.bonicelli]

Hi ,
after installing the KB5005573 on multiple windows server they have started logging on the event viewer the Event 10036 telling us that the user Administrator (the one we use for the WMI monitor; who is a Domain Admin) isn't allowed to activate the DCOM Server; these error are the ones that are logging on the event viewer (i've got them from the script that monitors the error on the system event in the last hour).



CRITICAL - [Triggered by _ItemCount50] - 85 event(s) of Severity Level: Error, were recorded in the last 1 hours from the System Event Log. (List is on next line. Fields shown are - Logfile:TimeGenerated:EventId:EventCode:SeverityLevel:Type:SourceName:Message)
System:20210918082854.355762-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user Administrator SID from address 10.10.10.99 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.\nSystem:20210918082854.355762-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user Administrator SID from address 10.10.10.99 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.\nSystem:20210918082804.574392-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user Administrator SID from address 10.10.10.99 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.\n



that's the command we use for the check.
/user/local/nagios/libexec/check_wmi_plus.pl -H 10.10.10.132 -t 45 -u Administrator -p Passw0rd -m checkeventlog -a 'System' -o 1 -3 1 -w '30' -c '50'


I've tried to do as suggested here but it has not fixed the problem
https://www.csoonline.com/article/36221 ... ation.html

Add a registry key to test the impact of the upcoming enforcement of the hardening. First add the registry key of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat.
Add a value name of RequireIntegrityActivationAuthenticationLevel.
Enter “dword”.
Enter the value data as noted: default = not defined or 0x00000000 means disabled. 0x00000001 = enabled.


I've also tried to force NTLMv2 as the following guide
https://support.nagios.com/kb/article/n ... g-579.html

But the problem still happens any idea how can i fix this?

[kfanselow]

Hi Davide,

Nagios support is currently looking into the changes made by Microsoft to the DCOM model and we will provide guidance as soon as it is available.

Thanks and my apologies for the brief response.
Keith

[kfanselow]

Hi Davide,

We have been working to replicate the problems you and other customers are observing and we are passing the issue off to our development team for further review. In our testing we've been able to toggle the behavior off and on using the steps outlined in the article you provided along with a reboot of the windows system (reloading the registry wasn't sufficient). By setting the Registry key to 0 we are able to authenticate and use WMI successfully when it is set to 1 it fails. For future reference sake the key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel

Regkey.png

Here's what we are seeing:
========================================
RequireIntegrityActivationAuthenticationLevel set to 0
========================================

Code: Select all

# /usr/bin/perl  -w /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.8.93 -u administrator -p REDACTED-m checkpage -w 90 -c 95

Overall Status - OK. Individual Page Files Detail: OK - C:\pagefile.sys Total: 704MB - Used: 112MB (16%) - Free: 592MB (84%), Peak Used: 137MB (19%) - Peak Free: 567MB (81%) |'C:\pagefile.sys Page File Size'=738197504B; 'C:\pagefile.sys Used'=117440512B; 'C:\pagefile.sys Utilisation'=16%;90;95; 'C:\pagefile.sys Peak Used'=143654912B; 'C:\pagefile.sys Peak Utilisation'=19%;

========================================
RequireIntegrityActivationAuthenticationLevel set to 1
========================================

Code: Select all

# /usr/bin/perl  -w /usr/local/nagios/libexec/check_wmi_plus.pl -H 192.168.8.93 -u administrator -p REDACTED -m checkpage -w 90 -c 95 

UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

[vornado]

Hello.

I'm having the same issue on one of our servers. I added the registry key and set it to 0 but still get errors because the number of event log critical errors exceeds the threshold of 150.

2021-10-12_12-28-11.png

The command:

/usr/local/nagios/libexec/check_wmi_plus.pl -H C210EARGT03 -A /usr/local/nagios/etc/auth.cfg -m checkeventlog -a 'System' -o 1 -3 8 -w '100' -c '150'

is followed by an error message:

CRITICAL - [Triggered by _ItemCount>150] - 578 event(s) of Severity Level: "Error", were recorded in the last 8 hours from the System Event Log. (List is on next line. Fields shown are - Logfile:TimeGenerated:EventId:EventCode:SeverityLevel:Type:SourceName:Message)|'Event Count'=578;100;150;

and a series of what I assume are event log entries like this:

System:20211012161717.979731-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user DOMAIN\User_Name SID (S-1-5-21-0123456789-0123456789-0123456-01234) from address 12.34.45.78 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
System:20211012161717.979731-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user DOMAIN\User_Name SID (S-1-5-21-0123456789-0123456789-0123456-01234) from address 12.34.45.78 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
System:20211012161524.697303-00010036:Error:Microsoft-Windows-DistributedCOM:The server-side authentication level policy does not allow the user DOMAIN\User_Name SID (S-1-5-21-0123456789-0123456789-0123456-01234) from address 12.34.45.78 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application......and several more.

Thanks to Nagios, we can see when the errors started to occur:

2021-10-12_11-54-51.png

I hope to hear from the development team when this issue is resolved. For now, I changed to checking frequency from every 5 minutes to every 720 minutes.

Thanks and best regards,

Steve

[benjaminsmith]

Hi Steve,

Appreciate extra details and screenshots on this issue, very helpful.

We've filed an internal bug report on this issue here. I don't have a hard ETA for an update or solution, but it is in the queue.

Thanks!
Benjamin

[vornado]

A little more info on this. I assumed it was the monitor reading the event log was causing the errors. I changed the frequency of checks from every 5 minutes to every 720 minutes but this did not reduce the number of errors. However, today I decided to deactivate a monitor that checks if a particular service is running (checkservice) on the affected server and the errors stopped.

I hope this is helpful. Best regards.

Steve

[benjaminsmith]

Hi Steve,

Appreciate the extra information on this one. Going to pass this along to the developer working on this issue.

Regards,
Benajmin

[Skyward_IT]

Has there been any more activity from the developers on this issue. We've just started seeing this on some of our servers. The suggested registry change doesn't seem to work to allow the WMI requests to function.

[kfanselow]

Hi All,

Our developers have been able to replicate the problem and are working on a solution. Unfortunately it seems Microsoft is rolling out theses changes faster than we anticipated and this is one of a number of changes they have made recently. We'll keep the thread open and let you know when we have more information.

Thanks and Best Regards,
Keith

[simone.preite]

Hi everybody,
I am facing the same problem, for now, we excluded the services of the "Microsoft-Windows-DistributedCOM" type through the events.ini file.
I would like to ask if there is a defined time when the update that will solve the issue will be released.

Thanks