Receiving Windows System events 100366 in your LDAP server triggered by Interscan Web Security Virtual Appliance (IWSVA)

Product / Version includes:

Interscan Web Security Virtual Appliance 6.5

Last updated: 2025/05/08

Solution ID: KA-0012718

Category: Configure , Troubleshoot

Summary

After installing latest Microsoft Windows patches you observe multiple Windows System Events (code 100366) in your LDAP server with messages similar to the ones below triggered by IWSVA:
The server-side authentication level policy does not allow the user xxxxxxxxxxxxxx from address xxxxxxx to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The following Microsoft KB article explains this behavior:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

A workaround to fix this issue is to disable the WMIDaemon (WMI authentication) in IWSVA by following the steps below:

1. SSH into IWSVA as root
2. Enter enable mode using the command below
# su enable

3. Enter the following command to disable the WMI module
enable # configure module ldap trans_auth disable

4. Exit enable mode
# exit

5. Monitor the LDAP server.

Note: This will not affect IWSVA authentication because this is a secondary daemon. The main Authentication daemon will still be able to query the LDAP server. This procedure will leave IWSVA unavailable for 5 to 10 minutes so plan accordingly.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Receiving Windows System events 100366 in your LDAP server triggered by Interscan Web Security Virtual Appliance (IWSVA)

Receiving Windows System events 100366 in your LDAP server triggered by Interscan Web Security Virtual Appliance (IWSVA)

Product / Version includes:

Summary