AD Query and Identity Logging do not work with Domain Controller on Windows Server 2022

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk179821
Technical Level
Product	Identity Awareness
Version	R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Date Created	18-Aug-2022
Last Modified	28-Feb-2023

Symptoms

The traffic is not matched to Identity Awareness Access Roles as expected.
SmartConsole logs from the Identity Awareness Gateway do not show User / Machine identities.

Output of the "adlog a dc" command on the Identity Awareness Gateway shows:

[Expert@IDA_GW:0]# adlog a dc
Domain controllers:
Domain Name              IP Address                Events (last hour)   Connection state
===========================================================================================================
<Name of Domain>        <IP Address>               0                    connection had internal error [ntstatus = 0x80010111]

Ignored domain controllers on this gateway:
No ignored domain controllers found.
[Expert@IDA_GW:0]#

Output of the "adlog l dc" command on the Management Server shows:

[Expert@MGMT:0]# adlog l dc
Domain controllers:
Domain Name              IP Address                Events (last hour)   Connection state
===========================================================================================================
<Name of Domain>        <IP Address>               0                    bad credentials or firewall blocks DCOM traffic [ntstatus = 0xc0000022]

Ignored domain controllers on this gateway:
No ignored domain controllers found.
[Expert@MGMT:0]#

When configuring the Identity Awareness Software Blade for the first time and selecting AD Query in the Identity Awareness Configuration wizard, the connectivity test might fail with this error:
```
User is not a domain administrator, as such AD Query will not work.
Click back and chose another authentication method.
```

Cause

Issue in Microsoft Windows Server 2022.

Solution

Procedure

Follow these steps to apply the Microsoft fix:

Download, install, and update your Windows server with one of these:
- The Cumulative Update 10 January 2023—KB5022291 (OS Build 20348.1487) - Microsoft Support
- A Cumulative Update (CU) released after that date.
Download the Known Issue Rollback (KIR) from here and install it.

Notes about the KIR:
- This KIR is necessary until the release of the CU scheduled for the second week of April 2023, which includes the fix without it being necessary to enable it with the KIR.
- The KIR is necessary for all servers with one of these installed:
  - The CU mentioned above (dated 10 January 2023)
  - A CU released after that (examples: the CU dated 14 February 2023 and the CU scheduled for the second week of March 2023).
After you install the KIR, you must enable it:
1. On the Windows server, run this command:
  
  gpedit.msc
2. In the Local Group Policy Editor window, go to Computer Configuration > Administrative Templates > KB5022291 221215_03057 Feature Preview > Windows Server 2022.
  
  Example:
3. Open the KB5022291 221215_03057 Feature Preview setting.
4. Select Enabled and click OK.
Reboot the Windows server.

Workarounds

These workarounds are also available:

Use a lower Windows Server version.
Work with Identity Collector instead of AD Query as an identity source.

See the Identity Awareness Administration Guide for your version.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating