cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9666
Views
55
Helpful
3
Replies

ISE PassiveID and WMI pulling

vfranjic
Cisco Employee
Cisco Employee

Hi team,

 

we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Domain admin account and event went through manual configuration of WMI on DC providing all needed rights and created registry keys. There is no L3/L4 obsticle.

 

1. Connection to DC is green in PassiveID dashboard and test WMI is ok, it gets right Domain name, etc

2. WMI DC is configured automatically and manually we checked all permisions and created Registry keys for Account that ISE uses when contacting DC

3. No sessions are collected from DC

4. We set DEBUG level for PassiveID and we get below:


2019-09-18 16:11:04,202 DEBUG [Thread-82275][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = XXXXXX , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = XXXXX , Identity Mapping.dc-name = XXXXXXX , Identity Mapping.dc-host = XXXXXXX/10.239.5.20

 

5. On Windows side we have Event log error with ID 5858 for WMI Activity with ResultCode: 0x80041032

 

Can someone provide help? Also we did this with two ISEs but problem remains same.

 

Does anybody know which Security logon event ID ISE PassiveID requests from DC: 4768 or 4624, because user has no 4768 events and if we look into WMI error we see ISE requesting 4768 event ID from DC.

 

Tnx in advance.

 

Regards,

Vedran.

 

1 Accepted Solution

Accepted Solutions

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.

View solution in original post

3 Replies 3

howon
Cisco Employee
Cisco Employee

I suggest opening a TAC SR to root cause the issue.

Hi, solved the problem with customer.

 

ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID

 

Procedure:

 

https://www.manageengine.com/products/active-directory-audit/help/getting-started/domain-controllers-advanced-audit-policy.html

 

Microsoft about Kerberos Audit Service:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service

 

Regards,

Vedran.

WMI configuration from ISE to DC does not enable Kerberos Audit authentication service and it should be enabled by yourself because it is turned off by default. Very frustrating  because no ISE PIC documentation mention this configuration and every test on ISE is OK but no passive authentication is coming on ISE.

 

krb.JPG