09-18-2019 09:17 AM
Hi team,
we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Domain admin account and event went through manual configuration of WMI on DC providing all needed rights and created registry keys. There is no L3/L4 obsticle.
1. Connection to DC is green in PassiveID dashboard and test WMI is ok, it gets right Domain name, etc
2. WMI DC is configured automatically and manually we checked all permisions and created Registry keys for Account that ISE uses when contacting DC
3. No sessions are collected from DC
4. We set DEBUG level for PassiveID and we get below:
2019-09-18 16:11:04,202 DEBUG [Thread-82275][] com.cisco.idc.dc-probe- DCOM timeout reached on DC. Identity Mapping.NTLMv2 = true , Identity Mapping.dc-domainname = XXXXXX , Identity Mapping.probe = WMI , Identity Mapping.dc-windows-version = Win2016 , Identity Mapping.dc-username = XXXXX , Identity Mapping.dc-name = XXXXXXX , Identity Mapping.dc-host = XXXXXXX/10.239.5.20
5. On Windows side we have Event log error with ID 5858 for WMI Activity with ResultCode: 0x80041032
Can someone provide help? Also we did this with two ISEs but problem remains same.
Does anybody know which Security logon event ID ISE PassiveID requests from DC: 4768 or 4624, because user has no 4768 events and if we look into WMI error we see ISE requesting 4768 event ID from DC.
Tnx in advance.
Regards,
Vedran.
Solved! Go to Solution.
09-23-2019 04:44 AM
Hi, solved the problem with customer.
ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID
Procedure:
Microsoft about Kerberos Audit Service:
Regards,
Vedran.
09-23-2019 04:35 AM
I suggest opening a TAC SR to root cause the issue.
09-23-2019 04:44 AM
Hi, solved the problem with customer.
ISE collects kerberos events from Security Event logs. Customer didn't have Kerberos logging turned on, which is by default turned off in Windows. We enabled Audit Kerberos Authentication Service through Advance Audit policy in GPO and applied to DCs. Soon after kerberos logon IDs were seen in Security Event log. After that ISE started to display sessions in PassiveID
Procedure:
Microsoft about Kerberos Audit Service:
Regards,
Vedran.
11-18-2020 05:59 AM
WMI configuration from ISE to DC does not enable Kerberos Audit authentication service and it should be enabled by yourself because it is turned off by default. Very frustrating because no ISE PIC documentation mention this configuration and every test on ISE is OK but no passive authentication is coming on ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide