Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Troubleshooting for Windows 2008 R2 Event collection using Windows Vista Event Collector.

Created: 04 Jan 2012 • Updated: 05 Jan 2012 | 4 comments
Language Translations
Avkash K's picture
+19 19 Votes
Login to vote

Integration of Windows 2008 with SSIM using domain account is always like a milestone to achieve.

Because, Microsoft has interoduced extra layer of security for Windows 2008 Os.

So  to read the Event logs which is most important for security environment is not an easy task.

Following is some std. troubleshooting steps which can be performed for windows vista Event collector:

1. Check if FIPS (Federal Information Processing Standard)  mode is enabled on the SSIM  4.7.1 agent or not, if yes then disable it.

2. If authentication mode Basic is set to true for the WinRM (Windows Remote Management) Service then we need to make it false as we are trying integration with Domain account.

4. The encryption type the collector is trying to use for the Kerberos authentication is rejected by the KDC (Key Distribution Center), this is the most important thing to check as this is a environment specific issue.

This is the common issue for  the environment where DC's are migrated from Win 2k3 to 2k8.

In such case you either need to enable encryption policies on your domain, which is really a very critical for any organization.

As after applying this policies we need to reset the password for all AD users.

Or we can simply try out some settings for the users which is being used for Win 2k8 integration, which are as followed.

- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> select msDS-SupportedEncryptionTypes and insert the value 31

- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> attribute editors --> userAccountControl --> set the value to 512

- active directory users and computers --> expand domain --> Users --> right click on the user which is configured in the sensor's configuration and then select properties --> account --> make sure that "Use kerberos DES encryption" and "Do not require Kerberos preauthentication" are NOT selected

- reset user's password (you can set the same as the existing one) and make sure that the option "user must change password at first log on" is not selected

- from the collector machine, stop the agent

- delete the files krb5.properties and krb5.conf in c:\program files\symantec\event agent\collectors\

- open the config.xml file located in c:\program files\symantec\event agent\collectors\msvista and add the following:
<props>
<prop key="EncryptionTypes">rc4-hmac</prop>
</props> 

Comments 4 CommentsJump to latest comment

AR Sharma's picture

Thanks for posting this article, this really helped me.

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

+1
Login to vote
Syed Hussain -Compliance Devil's picture

Very nice one

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
+1
Login to vote
Delson_DSouza's picture

It's a good idea to have the latest winrm version 2.0 installed.

+3
Login to vote