Recently I came across this issue and decided to write a quick post on it. Cisco Firepower User Agent stopped sending authentication logs to FMC and rules based on user id started failing. Looking at the Windows and Agent logs I discovered this error “A call to SSPI failed, see inner exception“.
Components:
Firepower Management Center: 6.0.1.2
Firepower User Agent for AD v2.3.10
The fix was simply to uninstall Microsoft update KB3161606 and KB3161608 (do not forget to prevent it from reinstalling). In some cases, this is not enough and to fix the issue proceed with registry tweak as described here. Quick synopsis is below:
Changes made to the Windows registry happen immediately, and no backup is automatically made. Do not edit the Windows registry unless you are confident about doing so.
To edit registry entry, follow these steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\
3. On the edit Menu, point to new and click Key, name the new Key “Diffie-Hellman“
4. Navigate the new Key created.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.
5. Right-click ClientMinKeyBitLength, and then click Modify.
6. In the Value data box, type 00000200 (keep this in hexidecimal format), and then click OK.
Restart Agent service and everything will start working again. Check authentication logs on FMC under Analysis > Users > User Activity.