User-to-IP Mappings No Longer Appear in
Cisco CDA after March 2017 Microsoft Update
Contents
Introduction
Background Information
Problem: User-to-IP Mappings No Longer Appear in Cisco CDA after March 2017 Microsoft
Update
Potential Workarounds
Solution
Introduction
This document describes how to overcome the issue of March 2017 Microsoft security update,
which breaks CDA functionality i.e. User mappings no longer appear in SWT Context Directory
Agent (CDA).
Background Information
Cisco CDA relies on Event ID 4768 being populated on all versions of Windows 2008 and 2012
domain controllers. These events indicate successful user logon events. If success logon events
are not being audited in the local security policy or if these event IDs are not populated for any
other reason then the WMI queries from CDA for these events will return no data. As a result, user
mappings will not be created in CDA and therefore user mapping information will not be sent from
CDA to the Adaptive Security Appliance (ASA). In cases where customers are leveraging user or
group-based policies from AD in Cloud Web Security (CWS), the user information does not appear
in the whoami.scansafe.net output.
Note:This does not affect Firepower User Agent (UA) since it leverages event ID 4624 to
create user mappings and that type of event is not impacted by this security update.
Problem: User-to-IP Mappings No Longer Appear in Cisco
CDA after March 2017 Microsoft Update
A recent Microsoft security update has caused issues in several customer environments wherein
their domain controllers stop logging these 4768 event IDs. The offending KBs are listed below:
KB4012212 (2008) / KB4012213 (2012)
KB4012215 (2008) / KB4012216 (2012)
To confirm that this issue is not with the logging configuration on the Domain Controller, make
sure that the proper audit logging is enabled in the Local Security Policy. The bold items in this
output below mustbe enabled for proper logging of 4768 event IDs. This should be run from the