Solved: Problem Agent SourceFire

crusier2015 · ‎09-26-2015

Hi,

i'm trying to configure AD agent, but always return the following error appears:

I checked LOGs of agent, the follow message appears:

"26/09/2015 20:48:23","debug","[0001] - Error connecting to 192.168.0.15: System.Management.ManagementException: User credentials cannot be used for local connections
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at SFCo ..."

I followed the tutorial bellow:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

Marvin Rhoads · ‎09-28-2015

You need to install the User Agent on a computer other than the AD server that you are pointing it to. This is a limitation of WMI as it cannot use domain credentials when running WMI scripts on the locahost.

View solution in original post

Marvin Rhoads · ‎09-28-2015

You need to install the User Agent on a computer other than the AD server that you are pointing it to. This is a limitation of WMI as it cannot use domain credentials when running WMI scripts on the locahost.

crusier2015 · ‎09-28-2015

You are correct, when i installed the agent on another server, worked!

Tks

Binyam Demissie · ‎06-10-2016

Just to add to the suggested solution:

+ Installing the user Agent on a remote computer for remote access is NOT required. Its an option, but not required. You have two options:

Option #1

Install locally and add the AD server as below for the user agent to be able to report user activities in *real-time*. Real time events are not available when installed on another computer and then remotely accessed.

Server Name/IP Address : localhost

Domain: [ Blank ]

Authorized User: [ Blank ]

Password: [ Blank ]

Local Login IP Address: [ select the IP address]

Option #2 -

Install on another computer and add the up to 5 AD DC to the user agent.

- here you will need to user Server IP, domain, username, password for this to work.

- Additionally you will need the following configuration on the AD DCs to allow the user to read Security Logs *REMOTELY*. This is NOT required for local install on the AD DC itself.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

Thanks,

~ Binyam (TAC)

Marvin Rhoads · ‎06-10-2016

Good info Binyam - thanks.

I'd suggest updating the Technote on SFUA to reflect this valuable addition.

nsadmin01 · ‎09-28-2016

I went with Binyam Demissie Option #1 and no issues.

Thx Binyam!

Terence.Jh · ‎01-31-2020

Thank you so much for solving the problem that I did not solve in 30 minutes

a ali · ‎11-15-2022

i have the same issue , as we added two active directory on agent one of them working fine and another one status is not available and after check agent log see this error ,

[0002] - Error connecting to 172.16.1.57: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize( ...