-
Title
Capture Agent not functioning when LSA Protected Mode is enabled -
Description
The Password Capture agent from Quick Connect or the Active Roles Synchronization Service does not function, and logging is not generated even after it is enabled as per the troubleshooting steps.
When the Domain Controller boots, the System Event Viewer logs show the following error:
Event ID 16953
The password notification DLL CaptureAgentPasswordFilter failed to load with error 577. Please verify that the notification DLL path defined in the registry, HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages, refers to a correct and absolute path (
:\ \ . ) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898. The following error message may also show in the System Event Viewer Logs:
Event ID 3033
Code Integrity determined that a process (\PATH\lsass.exe) attempted to load \PATH\CaptureAgentPasswordFilter.dll that did not meet the Microsoft signing level requirements.
-
Cause
LSA Protection is enabled on the host Domain Controller.
This feature must be disabled in order for the Capture Agent to function.
-
Resolution
On the Domain Controller, open the registry and browse to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
LSA Protection is enabled by creating a 32-bit DWORD with the name RunAsPPL and setting it to a value of 1
In order for the Capture Agent to function:
- Delete the RunAsPPL entry
- Reboot the Domain Controller