topic RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism? in Product Forum

January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

bjwestwo — Wed, 12 Jan 2022 15:43:00 GMT

Hello all. On any desktop where the January 2022 Windows Security Patches have been installed, I can no longer sign into Blue Prism. On desktops where the security patch is not installed, everything works as normal. The patches were installed on 2 of my desktops last night but others have not been patched yet. We use single sign-on (AD setup). I get this error:

Error: Could not connect to '{connection name}'.

SOAP security negotiation with 'http://{appserver}.southernco.com:8187/bpserver' for target 'http:/{appserver}.southernco.com:8187/bpserver' failed. See inner exception for more details.

System.ComponentModel.Win32Exception: Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetOutgoingBlobProxy.GetOutgoingBlob(ChannelBinding channelBinding)
at System.ServiceModel.Security.RequestSecurityToken.GetBinaryNegotiation()
at System.ServiceModel.Security.WSTrust.Driver.WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.WriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

EmmaBurns — Wed, 12 Jan 2022 15:46:00 GMT

We have experienced the same issue here as well. Have had to roll back the update, which is not ideal!

Edit: It was update KB5009543

------------------------------
Emma Burns
Ground Control Ltd
Europe/London
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

diane.sanzone — Wed, 12 Jan 2022 16:34:00 GMT

We have the same. Uninstalling the patches did help, and based on the "support" page, it seems BP is already aware and working on it. I also found this site which pulls out three patches included in the CU that are specifically "AD" related. We haven't gone to the level of uninstalling individual KBs yet, but perhaps this is a good place to start if you're not up for rolling back the whole thing:

https://dirteam.com/sander/2022/01/11/three-active-directory-vulnerabilities-were-addressed-during-microsofts-january-2022-patch-tuesday/

If anyone identifies the specific KB and can post it here, please do! I'll be sure to do the same as well.

Also, this was from our PC level event viewer log and might also help shed some light. I'm trying to get this over to BP support but, of course, having issues accessing the ticketing pages. Oh, the irony!

The Security System has detected a downgrade attempt when contacting the 3-part SPN

HTTP/[servernameremoved]:8199/BPServer

with error code "The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

(0xc000018b)". Authentication was denied.

------------------------------
Diane Sanzone
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

steven.boggs — Wed, 12 Jan 2022 16:37:00 GMT

Hi Brenton,

Our latest updates and guidance for this scenario can be found in our Knowledge Base here: https://help.blueprism.com/Alerts/1784860762/Latest-on-Windows-updates-from-11th-January-2022-causing-authentication-issues-in-Blue-Prism.htm

This page will be continually updated as information about this becomes available.

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

bjwestwo — Wed, 12 Jan 2022 16:38:00 GMT

Thanks and yes, Blue Prism Support is aware. I created a case and found that out as well. Also, removing the patch did allow things to get back to working on a desktop that I performed that operation on.

From the Control Panel > Programs > Programs and Features, I removed the KB5009545 Windows Security Update from a desktop that had the issue and after a restart and logging back into the desktop, Blue Prism launched and signed in!

After the uninstall, the KB5008206 Windows Security Update is listed.

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

diane.sanzone — Wed, 12 Jan 2022 20:25:00 GMT

I've since learned from my desktop team that the KB will vary based on your Windows build, and that with Windows 10 you can no longer cherry pick which updates in the CU you can apply, so sadly posting the individual KB won't help here since there were only 2 this month.

We are monitoring the BP Alert on this and they indicated it's related to SSO configurations, so we're contemplating removing the AD authentication/SSO and just manually logging in. Another internal suggestion was to patch the desktops/resource VMs AND the supporting servers (only our desktops were patched last night - servers are still pending).

Has anyone tried this? If your developer/bot workstations are patched AND your BP server is patched AND your BP Database server is patched - does SSO configuration for the login agent work?

We need to coordinate like 4 different teams on our side to test this but we might do it tomorrow - I'll post the results if we do end up testing it but would appreciate any feedback from anyone else that already tried it.

Thanks!

------------------------------
Diane Sanzone
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

bjwestwo — Wed, 12 Jan 2022 21:55:00 GMT

If the patching of the servers breaks the desktops SSO, further Blue Prism development will end tonight. So, I guess I should have an answer late tonight. Thanks for posting this thought. Fingers crossed that the server patching does not break things. Wow.

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

bjwestwo — Thu, 13 Jan 2022 05:21:00 GMT

Tonight our Blue Prism Evaluation and Development servers got the Windows Security Patches installed (KB5009546). My client and runtime desktops did not have the patch and the desktops were able to connect to Blue Prism after the server patching. Thus, the desktop and server patches do not need to be in synch, it appears.

After the patching of our Evaluation and Development servers, I tried to connect to those environments from a desktop that has the new January Windows Security Patch (KB5009545 on the desktop). The connection did not work on the patched desktop. Yet, the connection worked on the desktop for which I had removed the January Windows Security Patch after the servers were patch (as alluded to above).

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

diane.sanzone — Thu, 13 Jan 2022 12:18:00 GMT

Thanks for the information, Brenton! We're likely moving forward with the server patching of our test environment today. Good to know that I'll still probably be able to develop afterward. Our next thought is to temporarily disable the SSO configuration pending a more permanent fix from BP. Our IT security department is super strict so we can't afford to wait long without these patches applied.
I'll be sure to keep posting any information I have here. Hoping BP gets us all a real fix soon!

------------------------------
Diane Sanzone
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

AP.Philippa — Fri, 14 Jan 2022 08:50:00 GMT

Hi Steve,

Is it already known when we can expect a hot-fix patch from Blue Prism to be released?
For now we have been able to roll back the Security Windows update, however this is not a sustainable solution.

Thanks in advance!

With kind regards,

------------------------------
Arthur Philippa
RPA Developer
Port of Rotterdam
Europe/Amsterdam
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

steven.boggs — Fri, 14 Jan 2022 14:36:00 GMT

Arthur,

Our Knowledge Base article about this will contain the most recent information.

It should be noted that automatically applying O/S-level patches/updates in environments which handle automation (especially Production environments) is not a best-practice as outlined in our ROM. System-level updates/patches/changes should always be tested thoroughly in lower environments first to ensure they do not hinder automation performance before they are implemented in Production.

Microsoft has removed this patch from their auto-update, the investigation is ongoing, and we are updating our customer-facing documentation with the latest information as it is available.

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

GyulaEgyed — Mon, 17 Jan 2022 12:03:00 GMT

Hi Steve,

Do you have any link, communication from Microsoft that the patch was removed from auto-update? I would send it to our IT security department.
We have problem with the following patch: KB5009545

Kind regards,
Gyula

------------------------------
Gyula Egyed
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

gabor.kontha — Tue, 18 Jan 2022 08:51:00 GMT

Same situation here.

Symptom: Automate.exe cannot start, but asks for authentications.
Same event in event logs:
"

The Security System has detected a downgrade attempt when contacting the 3-part SPN

HTTP/[servernameremoved]:8199/BPServer

with error code "The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

(0xc000018b)". Authentication was denied.

"
Resolution: uninstall KB5009545 patch on the client.

------------------------------
Gábor Kontha
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

cesscabral — Tue, 18 Jan 2022 11:10:00 GMT

I've uninstalled KB5009545 for Windows10 and KB5009546 for Windows Server 2016, and the Automate.exe start working as usual.

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

Publico

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

vinodchinthakin — Wed, 19 Jan 2022 13:01:00 GMT

Hi All
I am facing same issue. I dont see KB5009545 and KB5009546 any of the patches mentioned previous posts. Can anyone suggest which patch I need to uninstall to resolve my issue.

Thanks in advance

------------------------------
vinod chinthakindi
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

diane.sanzone — Wed, 19 Jan 2022 13:28:00 GMT

Hi Vinod,

The KB will be specific to your build of the windows operating system. In my environment we have multiple different builds so we just uninstalled both cumulative updates from 11 Jan and everything started working. That said, Blue Prism has a fix for the issue on their alerts page. Try this link - it's the permanent fix and allows you to keep the security updates installed. We haven't done it yet, but we're hoping to today.

https://portal.blueprism.com/customer-support/support-center#/path/Alerts/1784860762/Latest-on-Windows-updates-from-11th-January-2022-causing-authentication-issues-in-Blue-Prism.htm

------------------------------
Diane Sanzone
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

vinodchinthakin — Wed, 19 Jan 2022 13:59:00 GMT

Hi @Diane Sanzone
Thanks for providing information and link.
As per my screenshot do you think I can uninstall KB5009557 which is recently updated patch on 12 Jan. Any suggestion here?
As per the article in above mentioned link, we need to seek IT team assistance which is difficult in my scenario(in my case Prod Env should be taken care by us, IT team will not interfere here). And first we need to check in non-prod Env where at present we are not facing the issue. so it might not help here.
Pls share your experience once you have fixed issue permanently using the article.

------------------------------
vinod chinthakindi
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

diane.sanzone — Wed, 19 Jan 2022 14:16:00 GMT

I'm sorry. I don't know for sure either way. All I can do is tell you we uninstalled both patches from that date and we were fine afterward. That said, it seems to me that the fix from BP is a lot less time consuming and will be a permanent fix. If you don't apply it now, when you install the February patches from Microsoft you'll likely be in the same boat (they're cumulative updates so I think each month includes all the stuff prior unless it's superseded).

After we test the BP fix in our environment I'll post the results. Hopefully that will help you.

------------------------------
Diane Sanzone
------------------------------

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

cesscabral — Wed, 19 Jan 2022 15:29:00 GMT

Check any Patch installed recently, this year.

Enter this command "View Update History"

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

Publico

RE: January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

cesscabral — Wed, 19 Jan 2022 16:10:00 GMT

Diane Sanzone is quite right. We have to apply the permanent fix.

But first I need to get help from the Domain Administrators, because it's not sufficient to have local Admin privilegdes.

And I have to check it first on quality environment.

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

Publico