Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sahmed_FTNT
Staff
Staff

Created on ‎06-20-2024 07:52 AM Edited on ‎08-09-2024 02:53 AM By Moderator

Article Id 321596

Technical Tip: FSSO breaks after installing Microsoft KB5039227 or KB5039217 update

Description This article describes a possible workaround for an FSSO authentication issue after Installing the KB5039227 or KB5039217 update.
Scope Microsoft Windows Server.
Solution

After Installing KB5039227 on Server 2022 or KB5039217 on Server 2019, authentication breaks for end users.
Under the FSAE -> Show Logon Users: An empty or inconsistent list of authentication events. 

 

Impact

This impacts deployments set in DC Agent Mode and Polling Mode - Windows Security Event Logs.
The monitored server being polled must be a Windows server 2019 or 2022 with KB5039227 or KB5039217 installed. 

This impacts FortiAuthenticator deployments set as FSSO Agent. 

 

On Windows Security Event Log polling, a similar log will be found as the one below as a symptom of the failure:
C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log:

 

[15680] [I][LSPoller]DoPolling(ip=272D10AC, host=FORTINETLAB/W2k22.fortinetlab.net)-->
[15680] [D][EPPoller]Start to poll Active Directory sessions.
[15680] [E][EPPoller]Could not open the event log on:W2k22.fortinetlab.net (e=5)
[15680] [D][WIN32EPoller]query takes 0 milliseconds
[15680] [D][WIN32EPoller]Total 0 log event has processed
[15680] [I][EPPoller]DoIpLsiMapCleanup(): before=0, after=0
[15680] [D][EPPoller]Finish to poll Active Directory sessions

 

On DC Agent Mode, there are no errors or symptoms other than the absence of logon events being sent from DC Agents installed on Windows Server 2019 or 2022 that had received KB5039227 on Server 2022 or KB5039217.

 

No Impact

This does not impact deployments set in Polling mode: NetAPI or WMI.

 

Workaround:

Possible workarounds are described below:

  • Change the Working mode to 'Poll login sessions using Windows NetAPI'.
  • Change the Working mode to 'Check Windows Security Event Logs using WMI'.
  • Uninstall the Microsoft KB as described below and restart the server: 


How to Remove the Installed Update:

Uninstall the recently installed update by following the steps in this related KB article: How to uninstall a Windows update.

 

Note

It is only possible to remove the update if it was installed individually. If the update were part of a CU and Feature Update, removing the update in isolation would not be possible.

 

If the WSUS server is in use:

The WSUS server can install updates on domain computers. Remove the installed and approved updates from the Update Services management console.

  • To do this, 'right-click' on the Updates branch and select Search from the menu.
  • Enter the KB number to find and select Find Now. In the list containing the found updates for different versions of Windows, select the updates to remove and select Approve from the menu.
  • Select the computer group of interest and select Approved for Removal from the drop-down list.
  • After the Windows update procedure on the WSUS client-side (which is scheduled according to the WSUS policies and the synchronization frequency, which is set by the Automatic Update detection frequency parameter, or by starting the synchronization cycle manually by typing wuauclt/detectnow), the corresponding update will appear in the Windows Update panel with the Uninstall prefix in the name.

After the update is uninstalled, a record of this event will appear in the Windows Update History log.


Permanent Solution

  1. Create a new 'string value' registry entry under the following path.

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\

Entry name: Auth4
Entry type: REG_SZ
Entry value: dcagent

 

Auth4_reg.png

 

The attached registry file (dcagent_regsitry.reg) can be imported to simplify this step.  

 

This key must be added to the target server under Show Monitored DCs -> Select DC to monitor -> Select Domain Controllers for Monitoring User Logon Event -> DC Agent or Polling mode
A DC reboot is required after updating the registry.

 

  1. Install the FSSO collector interim version 0318. A General Availability version is not available yet, but the interim release which fixes the issue can be requested by the TAC team.

     

If experiencing the symptoms described above and the workarounds are not working, log a ticket with TAC.  

 

Related documents

Technical Tip: FSSO choose between DC Agent mode or Polling mode

https://catalog.update.microsoft.com/Search.aspx?q=KB5039217

https://catalog.update.microsoft.com/Search.aspx?q=KB5039227
dcagent_regsitry.zip
Labels:
15201
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.