Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8777
Views
55
Helpful
3
Replies

ISE PassiveID and WMI pulling

Go to solution
vfranjic
Cisco Employee
Cisco Employee

‎09-18-2019 09:17 AM

Hi team,

 

we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Domain admin account and event went through manual configuration of WMI on DC providing all needed rights and created registry keys. There is no L3/L4 obsticle.

 

1. Connection to DC is green in PassiveID dashboard and test WMI is ok, it gets right Domain name, etc

2. WMI DC is configured automatically and manually we checked all permisions and created Registry keys for Account that ISE uses when contacting DC

3. No sessions are collected from DC

4. We set DEBUG level for PassiveID and we get below:


2019-09-18 16:11:04,202 DEBUG [Thread-82275][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = XXXXXX , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = XXXXX , Identity Mapping.dc-name = XXXXXXX , Identity Mapping.dc-host = XXXXXXX/10.239.5.20

 

5. On Windows side we have Event log error with ID 5858 for WMI Activity with ResultCode: 0x80041032

 

Can someone provide help? Also we did this with two ISEs but problem remains same.

 

Does anybody know which Security logon event ID ISE PassiveID requests from DC: 4768 or 4624, because user has no 4768 events and if we look into WMI error we see ISE requesting 4768 event ID from DC.

 

Tnx in advance.

 

Regards,

Vedran.

 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
vfranjic
Cisco Employee
Cisco Employee
In response to howon

‎09-23-2019 04:44 AM

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-23-2019 04:35 AM

I suggest opening a TAC SR to root cause the issue.

0 Helpful

Go to solution
vfranjic
Cisco Employee
Cisco Employee
In response to howon

‎09-23-2019 04:44 AM

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.

Go to solution
marinogr
Level 1
Level 1
In response to vfranjic

‎11-18-2020 05:59 AM

WMI configuration from ISE to DC does not enable Kerberos Audit authentication service and it should be enabled by yourself because it is turned off by default. Very frustrating  because no ISE PIC documentation mention this configuration and every test on ISE is OK but no passive authentication is coming on ISE.

 

krb.JPG

Customers Also Viewed These Support Documents