cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

164
Views
10
Helpful
2
Replies
Cisco Employee

ISE PassiveID and WMI pulling

Hi team,

 

we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Domain admin account and event went through manual configuration of WMI on DC providing all needed rights and created registry keys. There is no L3/L4 obsticle.

 

1. Connection to DC is green in PassiveID dashboard and test WMI is ok, it gets right Domain name, etc

2. WMI DC is configured automatically and manually we checked all permisions and created Registry keys for Account that ISE uses when contacting DC

3. No sessions are collected from DC

4. We set DEBUG level for PassiveID and we get below:


2019-09-18 16:11:04,202 DEBUG [Thread-82275][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = XXXXXX , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = XXXXX , Identity Mapping.dc-name = XXXXXXX , Identity Mapping.dc-host = XXXXXXX/10.239.5.20

 

5. On Windows side we have Event log error with ID 5858 for WMI Activity with ResultCode: 0x80041032

 

Can someone provide help? Also we did this with two ISEs but problem remains same.

 

Does anybody know which Security logon event ID ISE PassiveID requests from DC: 4768 or 4624, because user has no 4768 events and if we look into WMI error we see ISE requesting 4768 event ID from DC.

 

Tnx in advance.

 

Regards,

Vedran.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE PassiveID and WMI pulling

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.

2 REPLIES 2
Cisco Employee

Re: ISE PassiveID and WMI pulling

I suggest opening a TAC SR to root cause the issue.

Cisco Employee

Re: ISE PassiveID and WMI pulling

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.