Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7267
Views
9
Helpful
7
Replies

WMI configuration successful but no live sessions at all

Go to solution
jaime.pedraza
Level 1
Level 1

‎09-08-2017 07:55 AM - edited ‎02-21-2020 10:33 AM

Hello,

I am trying to configure an ISE-PIC. I already have the DC configured, joined, and WMI configured successfully according to the message shown on the ISE-PIC, but I don't see any live session at all. I configured an FMC as a Provider and I verified that is not sharing information.  Any idea what is happening?

Thank you in advance for the help!

Regards,

Jaime

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
jaime.pedraza
Level 1
Level 1

‎09-21-2017 10:45 AM

Hello,

Finally I solved the issue with the help of a Microsoft Consultant. The issue was due some Kerberos audit logs that were disabled, and therefore, the information was not sent via WMI. In summary:

  1. Enable the integration with AD
  2. Test the connection and  the WMI configuration
  3. Test a query to de AD with a test user
  4. If not live logs are seen, the issue is in the AD.

Hope it helps!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-11-2017 10:11 AM

Jamie,

An easy way to test is to log into the domain controller using a domain account.  That should populate the logon event in the session directory of PIC.  Alternately, you could use RDP.  You should also check the status of the DC on the dashboard.  It should be green.

Regards,

-Tim

Go to solution
jaime.pedraza
Level 1
Level 1
In response to Timothy Abbott

‎09-11-2017 10:30 AM

Thanks Timothy! I found out that even when the WMI configuration showed a success the first time, when I repeat the process, an error appears:

Successfully configured 0/1 DC

Unable to run executable on AD.domain.com, The IseExec remote copy failed to set credentials

I followed the procedure showed on this doc Configure ISE-PIC to monitor AD using WMI, and the pre-requisites stated on the installation guide, but without success.

I am struggling with the WMI logs and messages because there is almost no information about it. May be, if you have info about the logs and the interpretation of them, I'd appreciate it very much.


PS: the domain admin account works without issues.

Regards,

James

0 Helpful

Go to solution
Shay Elisha
Cisco Employee
Cisco Employee
In response to jaime.pedraza

‎09-11-2017 12:48 PM

Hi,

Two things to try:

  • Restart the domain controller (if you have only one dc in the domain)
  • Remove the domain and re-join and then try to press the 'config wmi' button

  • Follow the steps in this link: (that's what 'config wmi' do) and do it manually

     https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_install.html#74851

Thanks,

Shay

Go to solution
jaime.pedraza
Level 1
Level 1

‎09-21-2017 10:45 AM

Hello,

Finally I solved the issue with the help of a Microsoft Consultant. The issue was due some Kerberos audit logs that were disabled, and therefore, the information was not sent via WMI. In summary:

  1. Enable the integration with AD
  2. Test the connection and  the WMI configuration
  3. Test a query to de AD with a test user
  4. If not live logs are seen, the issue is in the AD.

Hope it helps!

0 Helpful

Go to solution
MIKKO PALSALA
Level 1
Level 1
In response to jaime.pedraza

‎05-07-2018 06:44 AM

Hi,

I doubt it's really necessary to enable Kerberos audit logs as MS support says:

"Kerberos event logging is intended only for troubleshooting purpose when you expect additional information for the Kerberos client-side at a defined action timeframe. Restated, kerberos logging should be disabled when not actively troublehshooting."

https://support.microsoft.com/en-us/help/262177/how-to-enable-kerberos-event-logginghttps://support.microsoft.com/en-us/help/262177

I have same problem (no live sessions, even the wmi connection is green), but would not like to enable kerberos audit logs

Any other ideas?

-mikko

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to MIKKO PALSALA

‎05-07-2018 07:47 AM

See Set the Windows Audit Policy under Active Directory Requirements to Support Easy Connect and Passive Identity services

The logging might have initially intended for troubleshooting only but it is used as the source to derive ISE Passive Identities.

If you are not using Easy Connect, then you may try other providers.

Go to solution
jaime.pedraza
Level 1
Level 1
In response to MIKKO PALSALA

‎05-07-2018 11:02 AM

Hi,

According to the MS Consultant, ISE audits 4768 (Kerberos Ticket Granting) and 4770 (Kerberos Ticket Renewal). If these events are not being logged, it may not be possible to see the events on ISE PIC/ISE.

Hope it helps,

James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents