Kerberos authentication with Symantec Event Collector 4.4 for Microsoft® Vista and Microsoft Windows Server 2008

book

Article ID: 180285

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

 

Resolution

The company policy doesn't allow to use NTLM authentication and it is required to configure the collector to use Kerberos authentication.
To use Kerberos authentication, the machine you are collecting from must be part of a Active Directory Domain.
This article should help to determine if the environment is setup correctly for Kerberos authentication and point out some basic troubleshooting steps.
 

 

1. To use Kerberos authentication the Monitored Host Realm has to be configured in the sensor settings of your collector configuration.

Monitored Host Realm:

This property is used for Kerberos authentication. When using Basic authentication, this
property can be left empty. Ideally, specify the Domain Name of the machine that is specified
in the Monitored Host Account Name property. However, the KDC host name can also be
used.
The sensor provides the capability to use multiple Kerberos Key Distribution Centers
(KDCs) in one domain. However, proper sensor configuration is required. To enable a
sensor to try another KDC if the connection to the original KDC has been lost, specify the
Domain Name in the Monitored Host Realm property. If the KDC's hostname is specified
in the Monitored Host Realm property, the sensor does not attempt to use any other KDCs
if the connection to the specified KDC is down. However, multi-domain Kerberos
authentication is not supported.

To collect from multiple domains with Kerberos authentication multiple agents and collectors have to be installed. Per domain  one seperate agent / collector at least is needed.

 

2. Kerberos is dependant on the Domain Name System (DNS).

The machine where the collector is installed must be able to retrieve information about services located in your Active Directory Domain from the DNS Server.

The information in the DNS contains the location of the Key Distribution Center (KDC) Servers in your Active Directory Domain.

To check the entries for the Kerberos authentication open a command prompt and run the following command:

nslookup
 


In the nslookup prompt:
 

>set q=SRV    

Check the entries for the _kerberos service:

>_kerberos._tcp.<Active Direcory Domain>


For example when the Active Directory Domain is symantec.local:
 

>_kerberos._tcp.symantec.local


Make sure that a list of the Domain Controllers in the Active Directory Domain is returned.

Also check the following entries for the _kpasswd service:

>_kpasswd.symantec.local    

And the _ldap service entries:

>_ldap.symantec.local



Once you are done exit the prompt:

>exit

 

3. Make sure that all the machines in the Active Directory Domain and all Collector machines have the time synchronized.

If the time difference between the client machines and KDC is too big the authentication will fail.

The maximum allowed time difference by default is 5 min.

technet.microsoft.com/en-us/library/cc780011(WS.10).aspx

 

4. On the machine where the Windows Remote Management (WinRM) service is running make sure the Service Principal Name (SPN) entries for the WinRM service have been created.

 Open a command prompt on the machine and run the following command:

hostname

This will return the hostname of the machine.

Replace <hostname> in the below command with the name hostname that was returned:

setspn -L <hostname>

This will return a list of SPN's of the machine account There should be two entries which get created when the WinRM service starts up.

WSMAN/<hostname>

WSMAN/<hostname>.<fully qualified domain>

When those entries are missing the Kerberos authentication will fail. In this case basic (NTLM) authentication has to be used.

 

Note: On Domain Controllers those entries are missing by default. This is due to the higher security level of Domain Controllers. The WinRM service is running with the account Network Service which doesn't have the permission to write the SPN's on a Domain Controller. To allow the Network Service account to write the SPN entries it must be granted the right to do a "Validated write to service princ".

Please follow the below instructions:

  • On the Domain Controller click on Start and go to Programs-> Administrative Tools and open the the program ADSI Edit.

 

  • In the menu of the ADSI Edit window click on Action and click "Connect to ..." which opens a window for the Connection Settings.

Leave the default settings and click on OK.

 

  • In the ADSI Edit main window the Default naming context should show up now and when clicking on it the tree should be expandable.

 

  • In the tree for the Active Directory Domain there should be a OU=Domain Controllers and in this Organizational Unit there should be a list of the Domain Controllers that exist in the domain.

 

  • Right Click on the Domain Controller from which you want to collect Event Logs from and where the WinRM service is configured and running, and click on Properties.

 

  • Go to Security and click on the Add button to add the Network service Account

 

  •  After adding the Network Service account grant it permission to do a "Validated write to service princ".

 

  • Afterwards you will have to restart the WinRM service for the changes to take effect. After the restart of the WinRM service you should run the setspn command again to make sure the SPN's for the WinRM service get created.

 

5.  Another problem when trying to use Kerberos authentication might be the encryption type that is used.


With the WS-Management Sensor 2.0.4 (April 2011 Liveupdate) support for different Encryption Types has been added.
In older versions of the sensor only DES encrytion is supported.
Depending on the environment some encryption types might not work.

For example when the Domain functional level is set to Windows 2003 using the AES256 encryption for the Kerberos ticketing doesn't work.
For AES256 encryption the Domain functional level must be set to at least Windows 2008.
More information on domain funtional levels can be found in the below Microsoft TechNet article:

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

With Windows 2008 R2 Microsoft also restricted the encryption types that might be used.
When addding a Windows 2008 R2 Domain Controller to your environment DES encryption will not work.

This issue has been documented by Microsoft in KB978055:
http://support.microsoft.com/kb/978055

At the moment the best way to setup the sensor is to use RC4 encryption.
To use RC4 encryption Version 2.0.4 or higher of the WS-Management sensor must be used.

The following property information must be added to the config.xml of the collector:

<property name="props">
     <props>
         <prop key="EncryptionTypes">rc4-hmac</prop>
      </props>
</property>
 

 

Once the environment is setup correctly the Basic authentication for the WinRM service can be disabled.

winrm set winrm/config/Service/Auth @{Basic="false"}

Should there still be an error related to the Kerberos authentication it is recommended to follow the troubleshooting guides for Kerberos from Microsoft.

technet.microsoft.com/en-us/library/cc728430(WS.10).aspx

support.microsoft.com/kb/262177

 

Attachments