We have a FireSight system with one version 5.4.0.5 Virtual Data Center and several ASA devices. We installed some User Agents to get user logon/logoff information from MS AD servers, and encountered 2 problems:

1) All User Agent servers (window server 2008R2/64/SP1 and Windows server 2012R2) report error 2201. They can pull logon info from AD server correctly and export correct user map, can communicate with Virtual Data Center, but just cannot send data to it. Meanwhile, one User Agent on Windows 2008 STD/SP2 server works perfectly. Have tried 3 other servers, 2 User Agent versions, en-us regional settings, and 2 .Net versions. Nothing changed.

2) We prefer to have only 1 User Agent but 1 User Agent supports 5 DC servers at max. So we configured one central AD server to subcribe security logs from all AD servers successfully to its event log folder 'Forwarded Events', and configured the User Agent to pull data from this central AD server. The User Agent does pull logons, but only from events folder 'Windows Logs - Security', never from 'Forwarded Events'. Is the User Agent designed to read from 'Windows Logs-Security' only?

[2201] - Report login information from USER-AGENT-SERVER to  10.xx.xx.xx failed after 07/14/2016 9:08:55 AM. [A call to SSPI failed, see inner exception.].