NetWitness Community

RSAAdmin · ‎2014-03-26

Off-late we are experiencing a strange issue, we are unable to pull logs from non-domain controllers. However with the same event source able to pull events from Domain controllers.

While investigating we found the below error message.

[windows:WrkUnit[1]:3549] [doWork:165] [NawrasAd.10_x_x_x] [processing] [NawrasAd.10_x_x_x] Unable to subscribe for events with Windows event source 10.x.x.x: 401/Unauthorized.

Possible causes:

- Event source (10.x.x.x) not a FQDN. DNS resolution failed or does not map to a Kerberos Realm.

Recently we upgraded SA to 10.3 after the suggestion from technical support, yet issue persists.

Thanks in advance.

Anonymous · ‎2014-03-28

Hi Saran,

a customer has the same issue and we haven't found any solution yet.

I'm pretty interested if someone has any suggestion.

huanzhou1 · ‎2014-03-29

the non-domain controller joined to domain? I tried domain controller and non domain pc, so far no issue.

huanzhou1 · ‎2014-03-30

can you dump the winrm config?

normally it's because below statement didn't run:

winrm set winrm/config/service @{AllowUnencrypted="true"}

RSAAdmin · ‎2014-03-30

Yes it's part of the same domain. I will try to run below command in one of the non-working server and update you the status... Thanks for your reply...

huanzhou1 · ‎2014-03-30

i've tested, both workgroup or domain computer working fine.

RSAAdmin · ‎2014-03-30

Please find the below screenshot...

huanzhou1 · ‎2014-03-30

do you still have the issue? can post winrm get winrm/config?

Thank you.

Anonymous · ‎2014-03-31

Here is the winrm configuration

winrm get winrm/config
Config
    MaxEnvelopeSizekb = 150
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 15
        EnumerationTimeoutms = 60000
        MaxConnections = 25
MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
    Winrs
AllowRemoteShellAccess = true
        IdleTimeout = 180000
        MaxConcurrentUsers = 5
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 15
        MaxMemoryPerShellMB = 150
        MaxShellsPerUser = 5

Anonymous · ‎2014-03-31

Do you have different time between Log Collector and not Domain Controller hosts? Kerberos very sensitive to different time.

NetWitness Community

Unable to collect events from non-domain controllers