Issue
Microsoft made changes to the Windows DCOM Server Security Feature effective 14 June 2022. If you have installed KB5004442, you will have these changes applied to your environment. Nintex completed testing with this feature and we could not find any issues to the K2 products relating to these changes. However, if you do see any of the following errors in the Event Viewer logs, and experience issues with the K2 product please reach out to support:
Server events
| Event ID | Message |
| 10036 | "The server-side authentication level policy does not allow the user %1%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." (%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address) |
Client events
| Event ID | Message |
| 10037 | "Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor." |
| 10038 | "Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor." (%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level) |
Workaround
If you encounter any of the above messages, follow these steps:
Registry setting to enable or disable the hardening changes
During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:
- Path : HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleAppCompat
- Value Name: "RequireIntegrityActivationAuthenticationLevel"
- Type: dword
- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled.
Important notes:
- Value Data must be entered in hexadecimal format.
- Restart your device after setting this registry key for it to take effect.
- Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.
Related Links
For more information, please see KB5004442.
