This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness Platform: "Error! 401/Unauthorized.Possible causes:- Event source (Host) does not map to a Kerberos Realm" due to Incorrect CN name used in Windows Server

Article Number

000037921

Applies To

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Issue

  • Windows server side
Powershell -File winrmconfig.ps1 -Action enable -ListenerType http -User <username> gives error as below.
Image descriptionImage description
  • Netwitness collector /var/log/messages show below error.
Jul 24 08:57:31 Host NwLogCollector[9842]: [WindowsCollection] [failure] Error! 401/Unauthorized.Possible causes:- Event source (Test.com) does not map to a Kerberos Realm
  • Running below commands gives authentication success with windows collection user.
export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir 
kinit -V <CollectionUser@DOMAIN>
  • klist -A shows both TGT and Service Tickets.

Cause

This issue was due to incorrect CN configured on Windows server-side instead hostname. This can be identified using setspn -Q HTTP/<hostname>* command.

sample output: 
C:\Windows\system32>setspn -Q HTTP/Test* 
Checking domain DC=DELL,DC=CORP,DC=EMC,DC=IN 
CN=MBAM_IIS,OU=Generic ID,DC=DELL,DC=CORP,DC=EMC,DC=IN 
http/encrypt.EMC.com 
http/Test.DELL.CORP.EMC.IN 
http/Test

Existing SPN found!

Resolution

Please use below steps for fixing this.
  1. Add an alias for the system in /etc/hosts file on the logcollector i.e. prefix or suffix a unique string to the hostname portion of the fqdn. eg. NW-Test.DELL.CORP.EMC.IN (added NW- as a prefix to hostname portion of fqdn) 
  2. Run below setspn command on Windows Server. This will add a new unique spn to Active directory and map it to the hostname.                                  setspn -A HTTP/NW-Test.DELL.CORP.EMC.IN Test 
  3. On Netwitness W UI, add the event source to the collector using the new alias as the hostname i.e. NW-Test.DELL.CORP.EMC.IN and test connection to get success.

Notes

If still issue persists, Please check below additional knowledge articles.
https://community.rsa.com/docs/DOC-47791 
https://community.rsa.com/docs/DOC-47129
https://community.rsa.com/docs/DOC-47128
https://community.rsa.com/docs/DOC-47118

 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 01:55 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.