Mumbai Security and Compliance User Group

 View Only

Troubleshooting for Windows 2008 R2 Event collection using Windows Vista Event Collector. 

Jan 05, 2012 02:50 AM

Integration of Windows 2008 with SSIM using domain account is always like a milestone to achieve.

Because, Microsoft has interoduced extra layer of security for Windows 2008 Os.

So  to read the Event logs which is most important for security environment is not an easy task.

 

Following is some std. troubleshooting steps which can be performed for windows vista Event collector:

 

1. Check if FIPS (Federal Information Processing Standard)  mode is enabled on the SSIM  4.7.1 agent or not, if yes then disable it.

2. If authentication mode Basic is set to true for the WinRM (Windows Remote Management) Service then we need to make it false as we are trying integration with Domain account.

4. The encryption type the collector is trying to use for the Kerberos authentication is rejected by the KDC (Key Distribution Center), this is the most important thing to check as this is a environment specific issue.

This is the common issue for  the environment where DC's are migrated from Win 2k3 to 2k8.

In such case you either need to enable encryption policies on your domain, which is really a very critical for any organization.

As after applying this policies we need to reset the password for all AD users.

Or we can simply try out some settings for the users which is being used for Win 2k8 integration, which are as followed.

- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> select msDS-SupportedEncryptionTypes and insert the value 31

 

- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> userAccountControl --> set the value to 512


- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> account --> make sure that "Use kerberos DES encryption" and "Do not require Kerberos preauthentication" are NOT selected


- reset user's password (you can set the same as the existing one) and make sure that the option "user must change password at first log on" is not selected


- from the collector machine, stop the agent

 

- delete the files krb5.properties and krb5.conf in c:\program files\symantec\event agent\collectors\

 

- open the config.xml file located in c:\program files\symantec\event agent\collectors\msvista and add the following:
<props>
<prop key="EncryptionTypes">rc4-hmac</prop>
</props> 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Apr 20, 2013 02:41 AM

.

Apr 20, 2013 02:40 AM

It's a good idea to have the latest winrm version 2.0 installed.

Mar 17, 2012 03:32 AM

Very nice one

Jan 10, 2012 01:09 AM

Thanks for posting this article, this really helped me.

Related Entries and Links

No Related Resource entered.