Audit Failure Events in Security Windows event on the Domain controller hosting Control Compliance Suite (CCS) environment

book

Article ID: 158448

calendar_today

Updated On:

Products

Control Compliance Suite Exchange Control Compliance Suite Windows

Issue/Introduction

Microsoft-Windows-Security-Auditing generates Event ID: 4768 in Windows Security log on Domain Controller when Kerberos authentication ticket (TGT) is requested for CCS component accounts.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: <date>
Event ID: 4768
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure

Cause

The client sends a KRB_AS_REQ to the KDC (specifically the Authentication Server/AS) to request a Ticket Granting Ticket (TGT). The AS_REQ is built on the client machine using the current computer time and encrypting it with the users Password hash. There is some other information within the AS_REQ packet that includes the UPN of the Principal.

In a typical scenario the KDC would verify the Authentication Data, respond back to the client with a KRB_AS_REP to the client with a TGT and session key for the TGT. This process validates that the principal authenticating knows the account and password (which in this case it does not).

This information is called “Authentication Data”.  The 0x6 Failure (Result) Code in the Audit Failure event translates to (KDC_ERR_C_PRINCIPAL_UNKNOWN) “Client was not found in Kerberos database.” The Account name specified not a recognized principal name present on the userPrincipalName attribute of the account.

Resolution

Map certificates to AD accounts for CCS server(s) for component communication without Audit Failures. Use the following steps to export CCS certificates for CCS components and map them to Active Directory accounts.

Steps to export the CCS Certificates using MMC snap-in:

1. From the Start menu on the CCS Application Server, click Run. Type mmc in the text box and click OK. An MMC snap-in Console window launches.
2. Using the File menu, click Add/Remove Snap-in.
3. Select Certificates in the Snap-in list, click Add.

NOTE: When you select Certificates, a dialog box appears asking you whether you would like to manage certificates for My user account, Service account, or Computer account. For this scenario, select Computer account, click Finish, and continue.

4. When prompted to Select Computer, select Local Computer, and click Finish.
5. Click OK to close the Add/Remove Snap-in dialog box. The Certificates directory is now added to the MMC console.
6. Select Certificates (Local Computer) from the Console menu. This will expand the Certificates containers.
7. Select >Symantec_Components >Certificates container.
8. Right-click certificate AppServer-%MACHINE_NAME% And/Or CCSManager-%MACHINE_NAME% and select >All Tasks >Export…
9. This will start the Welcome to the Certificate Export Wizard. Click Next.
10. Select No, do not export the private key. Click Next.
11. Select DER encoded binary X.509 (.CER). Click Next.
12. Specify the folder path and name of the file you want to export. Click Next.
13. Review wizard settings and click Finish.
14. Make these certs available on the Active Directory server, for use with mapping to user account.

NOTE: These steps will need to be performed on each server hosting the CCS Manager role. Please note the certificate in step 8 will be unique for CCS Manager role (i.e. CCSManager-%Machine_Name%). It is helpful to store all exported certificate files (.CER) in a folder accessible to the Domain Controller.

 

To map a certificate to a user account
  1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. On the View menu, select Advanced Features.

  3. In the console tree, click Users.

    Where?

    • Active Directory Users and Computers/domain node/Users

    Or, click the folder that contains the user account.

  4. In the details pane, right-click the user to which you want to map a certificate, and then click Name Mappings.

  5. In the Security Identity Mapping dialog box, on the X.509 Certificates tab, click Add.

  6. Type the name and path of the .cer file that contains the certificate that you want to map to this user account, and then click Open.

  7. Use the following:

    • To map the certificate to one account (one-to-one mapping), confirm that both the Use Issuer for alternate security identity check box and the Use Subject for alternate security identity check box are selected.

Additional considerations

  • To perform this procedure, you must be a member of either the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  • Another way to open Active Directory Users and Computers is to click Start, click Run, and then type dsa.msc.
  • The certificate that you are mapping to a user account must be in Distinguished Encoding Rules (DER) or Base64 encoded binary format.
  • Another way to bring up Security Identity Mapping dialog box is to right-click a user account, and then click Name Mappings.

 

Attachments