Installing Microsoft's June 8th 2021 NTLM Elevation of Privilege Vulnerability patches may break the User-ID Agent's connection to Domain Controller(s)
Upon installing the Microsoft patches related to CVE-2021-31958 on Windows Server(s) hosting either the User-ID agent or the Domain Controller(s) being monitored by the User-ID agent, (ie. installing the patch on one but not the other), the User-ID Agent can no longer connect to the Domain Controller(s) it is monitoring.
UaDebug.log on User-ID Agent shows the following error (Log is seen when "Debug" level is enabled on UaDebug.log).
06/09/21 12:39:41:509[Debug 123]: OpenEventLog failed for DC abc.local(18.104.22.168) - Access is denied. <<<<<<<<<<<<<<<
On June 8th 2021, Microsoft released a set of patches in response to CVE-2021-31958 as part of its monthly patch release. One of the known issues in this update is:
"After installing this or later updates, apps accessing event logs on remote devices using certain legacy Event Logging APIs might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later."
The User-ID Agent uses legacy API OpenEventLog to access event logs on Domain Controller. Because of this, when a Windows server that's hosting the User-ID agent is patched with updates released June 8, 2021 (KB5003671) or later, and the Domain Controller(s) that it is monitoring is not (or vise versa), the User-ID agent may no longer be able to connect to the Domain controller(s).
This issue does NOT happen if BOTH User-ID agent server and Domain Controller servers are patched with patches related to CVE-2021-31958 or later.
To resolve this issue, apply one of the following workarounds:
1. Rollback the patches on this list that had been applied (OR)
2. Install the relevant patches on this list on BOTH the servers hosting the User-ID agent and the Domain Controller(s) it is monitoring.
A list of all affected KB is listed below. The list can also be found on this Microsoft page: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31958