DC Agent cannot retrieve user data after Windows update
- Article Number: 000008798
- Products: Forcepoint URL Filtering, Forcepoint Web Security, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.3, 7.2, 7.1, 7.0, 6.3
- Last Published Date: July 22, 2020
Notes & Warnings
Important If you are on version 8.4 or higher, or already have the 8.2 or 8.3 hotfix installed and DC Agent is not identifying users as expected, see DC Agent for 8.4 and Higher Troubleshooting.
Some organizations using DC Agent for user identification with any Forcepoint web security solution may discover that some users' policies may not be correctly applied after the installation of MS16-072 (released in June 2016; KB3159398). This occurs because the Windows update interferes with DC Agent's ability to add information to the user map. This update may cause issues when applied to the TRITON management server, domain controllers, and/or user workstations.
If you use DC Agent for user identification – either as the primary or a backup method for proxy authentication or Logon Agent, please be aware of the following situations in which DC Agent can be affected adversely:
Consider these mitigation tactics to initiate end-user logon sessions:
Consider these mitigation tactics to ensure the correct policy is used when users cannot be identified:
Reliable Alternatives to DC Agent
At organizations that encounter any difficulties with DC Agent,the following alternatives are highly effective:
To determine whether the DC Agent issue is caused by the Windows update, first verify whether Microsoft Windows update MS16-072 (kb3159398) is installed.
Determine whether Microsoft Windows update MS16-072 (kb3159398) is installed
On each server that hosts TRITON Manager, DC Agent, or a Domain Controller:
For version 8.4
Please review the notes under "About the hotfix" later in this article to ensure that your installation provides correct rights for directory object authentication. If Domain Admin is not already in use, Event Log Readers will need to be added to the domain Member of for the service account. See the instructions later in this article.
For version 8.3
For version 8.2
For versions 8.1 or earlier
About the hotfix
The hotfix makes these changes:
To ensure the hotfix functions correctly, ensure that all of the following conditions are true on each DC Agent server where the hotfix is installed:
Remember that some users will not be identified and will appear only as IP addresses when not authenticated with Active Directory:
UA; user identification; directory services; DCAgent; xid; dc agent; authentication; windows update; policy; MS16-072; 8.4