Article Number
000001114
Applies To
| RSA Product Set: NetWitness Endpoint (ECAT) RSA Version/Condition: 4.3.x, 4.4.x Platform: Windows |
Issue
Group Managed Service Accounts
Group Managed Service Accounts are used as an advanced Active Directory option for handling services across multiple machines in a Windows-based environment. By enabling these accounts for trust delegation on the SQL server, it is possible to enable trust delegation when the QueuedData folder is located on a remote folder that is not local to the SQL server for Netwitness Endpoint. Without this setting, the kernel data download for kernel encodings from the KernelData.csv file in the QueuedData folder will fail to update into the database due to a bulk insert failure on the file, causing agents in increasing numbers to display offline driver errors until this is resolved.
Resolution
Configuring Group Managed Service Accounts
Pre-Requirements:
- NWE Console Server configured to connect to a database on another server(default database is ECAT$PRIMARY)
- A SQL Server separate from the Console Server running the ECAT database
- A remote folder/partition for the QueuedData folder. This folder can be located on the Console Server machine, but not the SQL database for these steps. Otherwise, it should be on a remote machine with the folder shared to both machines.
- Active Directory and DNS with Kerberos must be configured in the environment. NOTE: All connection settings, including the address for the database that the console server is to connect to, must be using HOSTNAMES, not IP addresses for their connection settings or NTLM will be used instead of Kerberos for the connection.
Installation:
- The process starts with the AD server and creating the KDS root key. Not every environment will need to create one, in fact if your following these steps, chances are you won't but it needs to be verified. First, confirm the presence of the root key:
Notes
Use the following script in the SQL database after setup is complete to verify that connections are using Kerberos to the SQL server:
select s.session_id,@@SERVERNAME as ServerName,s.original_login_name,c.net_transport,c.auth_scheme,c.local_tcp_port,s.host_name,s.program_name
from sys.dm_exec_sessions s
left outer join sys.dm_exec_connections c
on (s.session_id = c.session_id)
where s.is_user_process = 1
In the auth_scheme column, you will see Kerberos connections over port 1433 as an example.