2016-12-29 06:08 AM
Hi Guys,
I am facing error while integrating windows devices.
Error is as follows:
Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided
I am using Basic authentication for log collection. Please suggest some troubleshooting step to resolve this issue.
2016-12-30 08:57 AM
It's more normal to use kerberos / negotiate authentication when collecting form windows sources, especially if they are in a domain. If it was working and nothing has changed, have you checked the the password that you are using is correct?
2017-01-04 12:36 PM
Hi 9pGC42sqNdvChF1xdilI0qA2Ctri3JBAX0XYHEimiAA=,
Have you checked as advised the password that you are using is correct?
Yasmine.
2017-01-05 03:23 AM
Hi David,
I have enabled debug logs.
Starting work
Starting subscribe
Connecting to 172.X.X.X on port 5985 url /wsman transport mode http user siemmon auth method Basic
Connect succeeded
Subscription Query List : <QueryList><Query Id='0'><Select Path='Application'>*</Select><Select Path='Security'>*</Select><Select Path='System'>*</Select></Query></QueryList>
Subscribe Message
Error subscribing. Response code = 401/Unknown
Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided
As per my understanding, If connection is succeeded then credentials are working. Please correct me if I am wrong.
2017-01-05 03:23 AM
HI Yasmine Dowidar,
I have enabled debug logs.
Starting work
Starting subscribe
Connecting to 172.X.X.X on port 5985 url /wsman transport mode http user siemmon auth method Basic
Connect succeeded
Subscription Query List : <QueryList><Query Id='0'><Select Path='Application'>*</Select><Select Path='Security'>*</Select><Select Path='System'>*</Select></Query></QueryList>
Subscribe Message
Error subscribing. Response code = 401/Unknown
Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided
As per my understanding, If connection is succeeded then credentials are working. Please correct me if I am wrong.
2017-01-09 09:58 AM
Hi Atul,
Adding to David's recommendation.
If this is new integration, Please try below.
1. Verify basic authentication is true or false using winrm e winrm/config/listener command in Windows server
2. If above is false, Please enable basic authentication using winrm set winrm/config/service/auth @{Basic="true"}
Thanks,
Sravan
2017-01-12 02:58 PM
I've seen this behavior before in our environment even when not running Basic auth, i.e. Kerberos or Negotiate.
I'd check a few things first.
Is your time/clock synced with NTP and accurate between the host and your collector?
Is DNS resolution functioning/resolving accurately for the system on the collector?
Other than that, 401 means it authenticated just fine, but your request isn't authorized on the host. Usually a bad SDDL setting for your service account on the host.
After verifying the winrm settings post them here minus the SDDL and/or any other sensitive data and maybe we'll see what is up.