Windows update breaks SSO event log readers (FSSO, PAN UIA, WG ELM)

Microsoft has released KB5003646 on the 6th of June 2021. Part of this update is a security hardening measurement to align with recommendations as a conclusion out of CVE-2021-31958.

As a known issue of this KB5003646, microsoft has noted in the release notes: “After installing this or later updates, apps accessing event logs on remote devices might be unable to connect.”

This is exactly what is happening on Fortinet FSSO (FSSO with FortiGate, as well as FSSO over the FortiAuthenticator) and Palo Alto Networks User-ID Agent. They are not working anymore after the installation of Update KB5003646.

First things first: To quickly solve the problem, just rollback update KB5003646. You can do this by deinstalling the Windows Update with this name.

Solution for Fortinet setups

FSSO solutions using Domain Controller agents (DCAgent) are not affected. Therefore, changing the polling mode to the DC-Agent mode in the FSSO solution solves the problem as well.

A change of the polling mode to polling over WMI api is working as well.

Fortinet has also shared the information, that the problem will be solved if the Windows updates on the DCs and the Collector servers are on the same patchlevel. Please also ensure, that your DC-Agent and Collector software are running on the latest version.

Solution for Palo Alto Networks setups

On the Palo Alto Netowork solution, this issue does NOT happen if BOTH User-ID Agent server and Domain Controller servers are patched with patches related to CVE-2021-31958 or later.

Solution for WatchGuard setups

By default, WatchGuard SSO with ELM uses legacy API calls to process user authentication requests.

To avoid issues with user authentication, you must: 

Switch to the non-legacy API (Microsoft Windows Event Log API) and restart the WatchGuard Authentication Gateway and WatchGuard Authentication Event Log Monitor services.

More information:


Leave a Reply

Your email address will not be published. Required fields are marked *