Monitoring stopped: Incorrect credentials or Insufficient permissions

Some of our monitored instances have suddenly disappeared from our Overview screen.  When looking in Configuration > Monitored Servers, we can see they are reporting that monitoring has stopped with the message "incorrect credentials or insufficient permissions" alongside all of them.

After double checking the account used for Redgate hadn't been dropped or its permissions changed, it seems that the servers in question have been patched recently and our Infrastructure team have provided the following information:

"After further investigation of above error logged on <servername>, this seems to be with regards to dcom hardening by Microsoft released in June 2022. In 2023 this feature will be enabled by default with no options to disable it.
 
https://support.microsoft.com/en-us/topic/june-14-2022-kb5014702-os-build-14393-5192-e60ac0e1-44a4-49f9-871f-7c25eb0e5bb1
 
This can be disabled via registry, however a reboot is required.

June 14, 2022Hardening changes enabled by default but with the ability to disable them using a registry key.

This will follow in 2023 so all systems need to be compatible by them.
March 14, 2023Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.
https://support.microsoft.com/en-us/topic/september-14-2021-kb5005573-os-build-14393-4651-48853795-3857-4485-a2bf-f15b39464b41
 
The following is latest, released in June 20222
https://support.microsoft.com/en-us/topic/june-14-2022-kb5014702-os-build-14393-5192-e60ac0e1-44a4-49f9-871f-7c25eb0e5bb1

 
The plan from MS is to enable by default with no ability to disable in 2023.
March 14, 2023Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

https://support.microsoft.com/en-us/topic/september-14-2021-kb5005573-os-build-14393-4651-48853795-3857-4485-a2bf-f15b39464b41
 June 14, 2022—KB5014702 (OS Build 14393.5192)"


Has anyone else experienced this issue due to the patch(es) detailed above and if so, is the registry fix the recommended approach?


Thanks,

Ric.

Answers

  • Alex BAlex B Posts: 1,158 Diamond 4
    Hi @jonesric,

    We have seen this in the last week or so when people have started applying the June 2022 monthly patch and the way to get things working again is to also update the Windows version for the server where you have the SQL Monitor Base Monitor service installed to the June 2022 patch (or later as it will be included each monthly one thereafter).

    Though it shouldn't have impacted our sampling since we use Packet Privacy for our sampler connections (which is higher than the Packet Integrity that is the minimum mentioned in the KB), it seems that the WMI sample does not work from older patch versions to the newer June 2022 patch version (even trying with WBEMtest outside of SQL Monitor), though it does work from the newer patch to the older versions.

    There are two other possibilities, one being to change the WMI connection from DCOM to WinRM, since WinRM isn't affected by the DCOM hardening changes.  The other, though not recommended, is to disable the hardening change that is being enabled by default.  This isn't recommended since in another year the change will be enabled with no way to disable it.

    I hope that helps clarify things!

    Kind regards,
    Alex
    Product Support Engineer | Redgate Software

    Have you visited our Help Center?
Sign In or Register to comment.