CDA - Identity Based Firewall / WMI error

MaDe · ‎07-02-2012

Good day all,

we are in the process of testing the CDA feature. But we stopped after installing the CDA with following error.

Log attributes

wmi-property

exception-stack

org.jinterop.winreg.smb.JIWinRegStub.winreg_OpenHKLM(JIWinRegStub.java:115)

org.jinterop.dcom.core.JIProgId.getIdFromWinReg(JIProgId.java:130)

org.jinterop.dcom.core.JIProgId.getCorrespondingCLSID(JIProgId.java:162)

org.jinterop.dcom.core.JIComServer.(JIComServer.java:413)

com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:39)

com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:83)

com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)

com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)

com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:599)

dc-hostname

DC1.domain.local/xxx.xxx.xxx.xxx

dc-name

DC1

exception-cause

jcifs.smb.SmbAuthException: Access is denied.

wmi-class

Win32_NTDomain

exception-message

Message not found for errorCode: 0xC0000022

wmi-property

DomainName

dc-username

servicecda

I found this discussion (https://supportforums.cisco.com/message/3657991#3657991) and followed the instructions. But it is not working.
Somone with a new idea ?
Many thanks for any feedback.
Brgds Markus

Tarik Admani · ‎07-02-2012

Markus,

Are you installing this on a domain controller or a member server? What version is the server that you are installing this agent on to?

Here are a few requirements of the server:

For DC running 2008 r2 you have to run sp1 or the following patch - http://support.microsoft.com/kb/981314

For regular 2008 (non r2) - two patches are required - http://support.microsoft.com/kb/958124 and support.microsoft.com/kb/973995

windows 2003 (non r2) do not need patches and windows 2003 r2 is not supported.

See if the document helps:

https://supportforums.cisco.com/docs/DOC-20366

thanks

Tarik Admani

yong khang NG · ‎03-13-2014

Hi Tarik,

Quick question: is CDA support on Read Only Domain Controller?

The based OS running on window server 2008 R2. Domain and fuctional level is set to window server 2008 R2.

Thank

Noel

eshabat · ‎07-02-2012

Hey Markus,

Do you have a working AD Agent in this environment? What Windows version is that Domain Controller?

I've noticed you are using a user called servicecda, can you make sure this user has all the required permissions? You can find the required permissions here: http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_wrkng.html#wp1054050 under "Step 2".

I suggest if possible, that you first try with a user which is a member of the "Domain Admins" group, and see if that works for you.

Please let me know if that works for you.

Thanks,

Erez

MaDe · ‎07-03-2012

Hi all,

we are using both for testing.

AD agent v1.0.0.32.1, build 598

This setup is working fine. The AD agent can access the DC with the service user <>

Cisco Context Directory Agent v 1.0.0.11

In this setup I got the error msg I described in my first post. Our DC Admin double checked the permission and everythink is ok.

Our Domain Controller use Window Server 2008 R2 SP1 (x64). Also we changed the permission for the <> user described in the manual.

On Microsoft Windows 2008 R2, the account must also hold permissions to the following registry keys:

–HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

–HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)

This permission is not given to members of the Domain Admins by default, and must be added explicitly.

Many thanks for your feedaback.
Brgds Markus

Tarik Admani · ‎07-03-2012

Markus,

After reading about the context directory agent, and seeing that it runs on linux as a standalone system, it seems almost parallel with ACS and ISE and their AD interoperability. Try to give the following some thought and if you are comfortable please give it a try.

The error in your screenshot matches the following I found on a forum:

In all cases, the event data contains the error. For example, error 0xC0000022 means that the computer account's password is invalid; error 0xC000018B means that the computer account has been deleted, and so on.

This could either mean that when CDA joined the domain, a domain computer account (most likely in the Domain Computers group) was created (very simlar to ISE and ACS). Please have your AD admin (or yourself) check for any duplicate computer accounts in AD (that match the hostname of the CDA). If there arent, then remove the AD configuration on the CDA and delete the computer account...then replicate to the entire domain.

Once the workstation account is deleted from the domain, re-enter the AD settings and see if that fixes your issue.

Thanks

Tarik Admani

MaDe · ‎07-04-2012

Tarik,

do you mean I must join the CDA to our AD Domain. I found nothing in the documentation about this.

Thanks Markus

Tarik Admani · ‎07-04-2012

Markus,

Based on the configuration here when adding Active Directory servers:

http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_wrkng.html#wp1053922

I dont know for a fact if the CDA is joining this appliance to the domain. ISE and ACS both run linux and rely heavily on AD for user account validation. I am also basing this approach off of the error that you sent in your initial email. Take a peek at the Domain Computer group and see if the hostname for the CDA exists, then we can go from there.

Thanks,

Tarik Admani

MaDe · ‎07-04-2012

Tarik,

the hostname is not in the Domain Computer Group.

Thanks Markus

eshabat · ‎07-04-2012

Hi guys,

There's no need to join the CDA machine to the domain and that option isn't available.

Markus, the issue you are facing can be caused either by wrong username/password or insufficent permissions for the user specified.

I suggest you try using a domain admin account just to verify that is indeed the case. Please notice that you will need to give the permissions you quoted previously to the domain admin user:

On Microsoft Windows 2008 R2, the account must also hold permissions to the following registry keys:

–HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

–HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)

This permission is not given to members of the Domain Admins by default, and must be added explicitly.

Please let me know if it works using a domain admin credentials.

Thanks,
Erez

MaDe · ‎07-04-2012

Hi Erez,

thanks for your answer. Our DC Admin checked the permission on the registry and also added the account to the Domain Admin Group. But unfortunately the problem still exits and I get the same error msg.

Thanks Markus

keithsauer507 · ‎01-27-2015

I see this was never resolved in 3 years time. I have the same issue. No matter what Domain Admin account I use, I get an Audit Failure on the DC with error code : 0xc000006a which to me means incorrect password. I am using the correct password. NTLM2 is checked because that is what we use.