Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Katbert
New Contributor

Fortinet dcagent.dll vs LSA protection

After enabling LSA Protection mode (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL=1) on Windows 2012 R2 domain controller - dcagent.dll stop working. No events from this dc in "view logon events" button on Collector, no record for this domain controller on "show monitored DCs" button, empty dcagent log (enable_log=1 in HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent)

 

In Microsoft-Windows-CodeIntegrity/Operational event log - events CodeIntegrity 3033:

Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\dcagent.dll that did not meet the Microsoft signing level requirements.

 

My dcagent.dll verison is 5.0.271

Maybe newer version of dcagent.dll can work with LSA Protection mode?

Or if any dcagent.dll is incompatible with LSA Protection mode - add this to documentation?

 

 

1 REPLY 1
victornakagomi
New Contributor II

Hi,

 

When Windows Local Security Authority (LSA) Protection is enabled, Windows blocks all 3rd party plugins, including Authlogics Domain Controller Agent, from accessing the Local Security Authority. This Windows feature was designed predominantly for desktop OS's to prevent malware from stealing password hashes, however, the feature is also available on Windows Server.

 

I recommend you put LSA mode disable.

 

Victor Nakagomi
Victor Nakagomi
Labels
Top Kudoed Authors