cancel
Showing results for 
Search instead for 
Did you mean: 

January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

BrentonWestwood
Level 5
Hello all.   On any desktop where the January 2022 Windows Security Patches have been installed, I can no longer sign into Blue Prism.   On desktops where the security patch is not installed, everything works as normal.   The patches were installed on 2 of my desktops last night but others have not been patched yet.   We use single sign-on (AD setup).   I get this error:   

Error: Could not connect to '{connection name}'.

SOAP security negotiation with 'http://{appserver}.southernco.com:8187/bpserver' for target 'http:/{appserver}.southernco.com:8187/bpserver' failed. See inner exception for more details.

System.ComponentModel.Win32Exception: Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetOutgoingBlobProxy.GetOutgoingBlob(ChannelBinding channelBinding)
at System.ServiceModel.Security.RequestSecurityToken.GetBinaryNegotiation()
at System.ServiceModel.Security.WSTrust.Driver.WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.WriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------
38 REPLIES 38

Arthur,

Our Knowledge Base article about this will contain the most recent information.

It should be noted that automatically applying O/S-level patches/updates in environments which handle automation (especially Production environments) is not a best-practice as outlined in our ROM. System-level updates/patches/changes should always be tested thoroughly in lower environments first to ensure they do not hinder automation performance before they are implemented in Production.

Microsoft has removed this patch from their auto-update, the investigation is ongoing, and we are updating our customer-facing documentation with the latest information as it is available.

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

Hi Steve,

Do you have any link, communication from Microsoft that the patch was removed from auto-update? I would send it to our IT security department. 
We have problem with the following patch: KB5009545 

Kind regards,
Gyula

------------------------------
Gyula Egyed
------------------------------

Same situation here.

Symptom: Automate.exe cannot start, but asks for authentications.
Same event in event logs:
"

The Security System has detected a downgrade attempt when contacting the 3-part SPN

 HTTP/[servernameremoved]:8199/BPServer

 with error code "The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

(0xc000018b)". Authentication was denied.

"
Resolution: uninstall KB5009545 patch on the client.

------------------------------
Gábor Kontha
------------------------------

 

I've uninstalled KB5009545 for Windows10 and KB5009546 for Windows Server 2016, and the Automate.exe start working as usual.

 

27060.png

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
    Tlm: 966025853
Av.
Fontes Pereira de Melo, 38/40
1069-300 LISBOA

meo.pt

 

 

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

 

 


Publico



Hi All
I am facing same issue. I dont see KB5009545 and KB5009546 any of the patches mentioned previous posts. Can anyone suggest which patch I need to uninstall to resolve my issue.

Thanks in advance
27061.png


------------------------------
vinod chinthakindi
------------------------------

Hi Vinod,

The KB will be specific to your build of the windows operating system.  In my environment we have multiple different builds so we just uninstalled both cumulative updates from 11 Jan and everything started working. That said, Blue Prism has a fix for the issue on their alerts page. Try this link - it's the permanent fix and allows you to keep the security updates installed.  We haven't done it yet, but we're hoping to today.

https://portal.blueprism.com/customer-support/support-center#/path/Alerts/1784860762/Latest-on-Windows-updates-from-11th-January-2022-causing-authentication-issues-in-Blue-Prism.htm

------------------------------
Diane Sanzone
------------------------------

Hi @Diane Sanzone
Thanks for providing information and link.
As per my screenshot do you think I can uninstall KB5009557 which is recently updated patch on 12 Jan. Any suggestion here?
As per the article in above mentioned link, we need to seek IT team assistance which is difficult in my scenario(in my case Prod Env should be taken care by us, IT team will not interfere here). And first we need to check in non-prod Env where at present we are not facing the issue. so it might not help here.
Pls share your experience once you have fixed issue permanently using the article.

------------------------------
vinod chinthakindi
------------------------------

I'm sorry. I don't know for sure either way. All I can do is tell you we uninstalled both patches from that date and we were fine afterward.  That said, it seems to me that the fix from BP is a lot less time consuming and will be a permanent fix.  If you don't apply it now, when you install the February patches from Microsoft you'll likely be in the same boat (they're cumulative updates so I think each month includes all the stuff prior unless it's superseded).

After we test the BP fix in our environment I'll post the results. Hopefully that will help you.

------------------------------
Diane Sanzone
------------------------------

Check any Patch installed recently, this year.

Enter this command "View Update History"

 

27074.png

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
    Tlm: 966025853
Av.
Fontes Pereira de Melo, 38/40
1069-300 LISBOA

meo.pt

 

 

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

 

 


Publico



Diane Sanzone is quite right. We have to apply the permanent fix.

 

But first I need to get help from the Domain Administrators, because it's not sufficient to have local Admin privilegdes.

And I have to check it first on quality environment.

 

 

27082.png

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
    Tlm: 966025853
Av.
Fontes Pereira de Melo, 38/40
1069-300 LISBOA

meo.pt

 

 

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

 

 


Publico