-
Title
Capture Agent not functioning when LSA Protection is enabled -
Description
The Password Capture agent from Quick Connect or the Active Roles Synchronization Service does not function, and logging is not generated even after it is enabled as per the troubleshooting steps.
When the Domain Controller boots, the System Event Viewer logs show the following error:
Event ID 16953
The password notification DLL CaptureAgentPasswordFilter failed to load with error 577. Please verify that the notification DLL path defined in the registry, HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages, refers to a correct and absolute path (:\\.) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support.
The following error message may also show in the System Event Viewer Logs:
Event ID 3033
Code Integrity determined that a process (\PATH\lsass.exe) attempted to load \PATH\CaptureAgentPasswordFilter.dll that did not meet the Microsoft signing level requirements.
-
Cause
LSA Protection is enabled on the host Domain Controller.
This feature must be disabled in order for the Capture Agent to function, or upgrade to a version of the Active Roles Synchronization Service which supports LSA Protection.
-
Resolution
WORKAROUND
On the Domain Controller, open the registry and browse to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
LSA Protection is enabled by creating a 32-bit DWORD with the name RunAsPPL and setting it to a value of 1
In order for the Capture Agent to function:
- Delete the RunAsPPL entry
- Reboot the Domain Controller
NOTE: If this setting is enforced by a group policy, then the group policy must be disabled.
STATUS
Support for LSA Protection was implemented in the Active Roles Synchronization Service Capture Agent included with Active Roles 8.2.1 as Enhancement ID 125828.
-
Change Request
125828