Technical Tip: FSSO breaks after installing Microsoft KB5039227 or KB5039217 update

After Installing KB5039227 on Server 2022 or KB5039217 on Server 2019, authentication breaks for end users.
Under the FSAE -> Show Logon Users: An empty or inconsistent list of authentication events. 

Impact: 

This impacts deployments set in DC Agent Mode and Polling Mode - Windows Security Event Logs.
The monitored server being polled must be a Windows server 2019 or 2022 with KB5039227 or KB5039217 installed. 

This impacts FortiAuthenticator deployments set as FSSO Agent. 

On Windows Security Event Log polling, a similar log will be found as the one below as a symptom of the failure:
C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log:

[15680] [I][LSPoller]DoPolling(ip=272D10AC, host=FORTINETLAB/W2k22.fortinetlab.net)-->
[15680] [D][EPPoller]Start to poll Active Directory sessions.
[15680] [E][EPPoller]Could not open the event log on:W2k22.fortinetlab.net (e=5)
[15680] [D][WIN32EPoller]query takes 0 milliseconds
[15680] [D][WIN32EPoller]Total 0 log event has processed
[15680] [I][EPPoller]DoIpLsiMapCleanup(): before=0, after=0
[15680] [D][EPPoller]Finish to poll Active Directory sessions

On DC Agent Mode, there are no errors or symptoms other than the absence of logon events being sent from DC Agents installed on Windows Server 2019 or 2022 that had received KB5039227 on Server 2022 or KB5039217.

No Impact: 

This does not impact deployments set in Polling mode: NetAPI or WMI.

Workaround:

Possible workarounds are described below:

• Change the Working mode to 'Poll login sessions using Windows NetAPI'.
• Change the Working mode to 'Check Windows Security Event Logs using WMI'.
• Uninstall the Microsoft KB as described below and restart the server: 

How to Remove the Installed Update:

Uninstall the recently installed update by following the steps in this related KB article: How to uninstall a Windows update.

Note: 

It is only possible to remove the update if it was installed individually. If the update were part of a CU and Feature Update, removing the update in isolation would not be possible.

If the WSUS server is in use:

The WSUS server can install updates on domain computers. Remove the installed and approved updates from the Update Services management console.

• To do this, 'right-click' on the Updates branch and select Search from the menu.
• Enter the KB number to find and select Find Now. In the list containing the found updates for different versions of Windows, select the updates to remove and select Approve from the menu.
• Select the computer group of interest and select Approved for Removal from the drop-down list.
• After the Windows update procedure on the WSUS client-side (which is scheduled according to the WSUS policies and the synchronization frequency, which is set by the Automatic Update detection frequency parameter, or by starting the synchronization cycle manually by typing wuauclt/detectnow), the corresponding update will appear in the Windows Update panel with the Uninstall prefix in the name.

After the update is uninstalled, a record of this event will appear in the Windows Update History log.

Permanent Solution: 

1. Create a new 'string value' registry entry under the following path.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\

Entry name: Auth4
Entry type: REG_SZ
Entry value: dcagent

The attached registry file (dcagent_regsitry.reg) can be imported to simplify this step.  

This key must be added to the target server under Show Monitored DCs -> Select DC to monitor -> Select Domain Controllers for Monitoring User Logon Event -> DC Agent or Polling mode. 
A DC reboot is required after updating the registry.

2. Install the FSSO 5.0 build 0318.
   
   

If experiencing the symptoms described above and the workarounds are not working, log a ticket with TAC.  

Related documents: 

Technical Tip: FSSO choose between DC Agent mode or Polling mode

https://catalog.update.microsoft.com/Search.aspx?q=KB5039217

https://catalog.update.microsoft.com/Search.aspx?q=KB5039227