This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Error in Windows Collection

AtulChavan
Beginner
Beginner

‎2016-12-29 06:08 AM

Hi Guys,

 

I am facing error while integrating windows devices. 

Error is as follows:

Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided

 

I am using Basic authentication for log collection. Please suggest some troubleshooting step to resolve this issue.

Labels:
0 Likes
6 REPLIES 6

DavidWaugh1
Employee
Employee

‎2016-12-30 08:57 AM

It's more normal to use kerberos / negotiate authentication when collecting form windows sources, especially if they are in a domain. If it was working and nothing has changed, have you checked the the password that you are using is correct?

0 Likes

YasmineDowidar
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2017-01-04 12:36 PM

Hi 9pGC42sqNdvChF1xdilI0qA2Ctri3JBAX0XYHEimiAA=‌,

 

Have you checked as advised the password that you are using is correct?

 

Yasmine.

AtulChavan
Beginner
Beginner
In response to DavidWaugh1

‎2017-01-05 03:23 AM

Hi David,

 

I have enabled debug logs.

Starting work

Starting subscribe

Connecting to 172.X.X.X on port 5985 url /wsman transport mode http user siemmon auth method Basic

Connect succeeded

Subscription Query List : <QueryList><Query Id='0'><Select Path='Application'>*</Select><Select Path='Security'>*</Select><Select Path='System'>*</Select></Query></QueryList>

Subscribe Message

Error subscribing. Response code = 401/Unknown

Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided

 

As per my understanding, If connection is succeeded then credentials are working. Please correct me if I am wrong.

0 Likes

AtulChavan
Beginner
Beginner
In response to YasmineDowidar

‎2017-01-05 03:23 AM

HI Yasmine Dowidar‌,

 

I have enabled debug logs.

Starting work

Starting subscribe

Connecting to 172.X.X.X on port 5985 url /wsman transport mode http user siemmon auth method Basic

Connect succeeded

Subscription Query List : <QueryList><Query Id='0'><Select Path='Application'>*</Select><Select Path='Security'>*</Select><Select Path='System'>*</Select></Query></QueryList>

Subscribe Message

Error subscribing. Response code = 401/Unknown

Unable to subscribe for events with Windows event source: 401/Unauthorized. Please verify the credentials provided

 

As per my understanding, If connection is succeeded then credentials are working. Please correct me if I am wrong.

0 Likes

SravanKoneti
Employee
Employee
In response to AtulChavan

‎2017-01-09 09:58 AM

Hi Atul,

 

Adding to David's recommendation.

 

If this is new integration, Please try below.

1. Verify basic authentication is true or false using winrm e winrm/config/listener command in Windows server

2.  If above is false, Please enable basic authentication using winrm set winrm/config/service/auth @{Basic="true"}

 

Thanks,

Sravan

0 Likes

KEVINDIENST
Beginner
Beginner

‎2017-01-12 02:58 PM

I've seen this behavior before in our environment even when not running Basic auth, i.e. Kerberos or Negotiate. 

 

I'd check a few things first. 

 

Is your time/clock synced with NTP and accurate between the host and your collector?

Is DNS resolution functioning/resolving accurately for the system on the collector?

 

Other than that, 401 means it authenticated just fine, but your request isn't authorized on the host. Usually a bad SDDL setting for your service account on the host. 

 

After verifying the winrm settings post them here minus the SDDL and/or any other sensitive data and maybe we'll see what is up. 

© 2022 RSA Security LLC or its affiliates. All rights reserved.