cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3253
Views
0
Helpful
2
Replies

Error message in Context Directory Agent, mapping doesn't work correctly.

Martin Ostberg
Level 1
Level 1

Hey guys!

We've started using the AD Agent a year back or so, and now we've migrated to CDA but we're having some issues.

We have 4 domain controllers and they are configured in CDA and show as OK, so all good there.

But the ip to username mapping is not working correctly, only some users get mapped.

And I get this in the log very frequently.

event-text

instance of __InstanceCreationEvent { SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 67, 0, 45, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 53, 0, 49, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 53, 0, 49, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}; TargetInstance = instance of Win32_NTLogEvent { Category = 9; CategoryString = "Account Logon"; ComputerName = "SEGRYDC2"; EventCode = 672; EventIdentifier = 672; EventType = 5; InsertionStrings = {"039s020", "GRYCKSBO.LOCAL", "-", "krbtgt/GRYCKSBO.LOCAL", "-", "0x40810010", "0x6", "-", "-", "192.168.187.213", "", "", ""}; Logfile = "Security"; Message = "Authentication Ticket Request: \n \n\tUser Name:\t\t039s020 \n \n\tSupplied Realm Name:\tGRYCKSBO.LOCAL \n \n\tUser ID:\t\t\t- \n \n\tService Name:\t\tkrbtgt/GRYCKSBO.LOCAL \n \n\tService ID:\t\t- \n \n\tTicket Options:\t\t0x40810010 \n \n\tResult Code:\t\t0x6 \n \n\tTicket Encryption Type:\t- \n \n\tPre-Authentication Type:\t- \n \n\tClient Address:\t\t192.168.187.213 \n \n\tCertificate Issuer Name:\t \n \n\tCertificate Serial Number:\t \n \n\tCertificate Thumbprint:\t \n \n"; RecordNumber = 132903567; SourceName = "Security"; TimeGenerated = "20121106080729.000000+060"; TimeWritten = "20121106080729.000000+060"; Type = "Audit Failure"; User = "NT AUTHORITY\\SYSTEM"; }; TIME_CREATED = "129966592493454297"; };

dc-hostname
segrydc2.grycksbo.local/192.168.187.196

dc-name

segrydc2

event-source
com.cisco.cda.rt.adobserver.adobserver.CurrentEventsThread

event-error
Audit type is not of type 4 (Audit Success)

This message show on all the DC's with a random interval.

Two of the DC's are 2003 SP2 and the other two are 2008 R2 SP1.

They should be configured for all the requirements, and I doubt I missed something on all of them.

"Active Directory Requirements

Cisco CDA relies on Active Directory login audit events to gather mappings. In order for Cisco CDA to

work appropriately, make sure that:

• Ensure that the “Audit Policy” (part of the “Group Policy Management” settings) allows successful

logons to generate the necessary events in the Windows Security Log of that AD domain controller

machine (this is normally the Windows default setting, but you must explicitly ensure that this

setting is correct).

• The Active Directory server administrator account has the following permissions:

– The account must belong to the “Distributed COM Users” Active Directory group.

– The account must have permission to access WMI namespaces (CIMV2 namespace) on the

domain controller machine.

– The account must have permission to read the security event log on the domain controller

machine.

• Each individual domain controller machine running Windows Server 2008 or Windows Server 2008

R2 have the appropriate Microsoft hotfixes installed.

For domain controller machines running Windows Server 2008, the following two Microsoft

hotfixes must be installed:

a. http://support.microsoft.com/kb/958124

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can prevent the AD Agent

from successfully connecting with that domain controller and achieving an “up” status.

b. http://support.microsoft.com/kb/973995

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can sporadically prevent

Active Directory from writing the necessary authentication-related events to the Security Log for

that domain controller and would prevent the AD Agent from learning about the mappings

corresponding to some of the user logins that authenticate through that domain controller.

For domain controller machines running Windows Server 2008 R2, the following Microsoft hotfix

must be installed (unless SP1 is installed):

http://support.microsoft.com/kb/981314

This patch fixes a memory leak in Microsoft's WMI, which if left unfixed can sporadically prevent

Active Directory from writing the necessary authentication-related events to the Security Log for

that domain controller and would prevent the AD Agent from learning about the mappings

corresponding to some of the user logins that authenticate through that domain controller."

Any ideas?

Cheers!

2 Replies 2

aharon-n
Level 1
Level 1

Hi

I have the same problem for one of 4 AD servers.

At the beginning it was because I needed to edit the registry as note at the guide.

But now after double and triple checking I don't understand what causing this.

howe.bill
Level 1
Level 1

I ran into this same error message and we discovered the following:

  • A co-worker had turned off a number of audit events to troubleshoot someone getting their account locked. The events he turned off were:
    • login/log off events
    • Kerberos logging
  • He turned the login/log off events back on, this did NOT fix the issue.
  • As soon as he turned on Kerberos logging, we got all the new mappings.

For Windows Server 2008 R2 and Windows 2012, choose Advanced Audit Policy Configuration > Audit Policies > Account Logon. For the two Policy items, Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations, ensure that the corresponding Policy Setting for each of these either directly or indirectly includes the Success condition as described above.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: