Troubleshooting Identity Awareness

Domain administrator Credentials (Be sure to Use a Domain Administrator when hooking to Active Directory from the Wizard)

Security Gateway – Domain Controller communication

In order to configure and use AD Query (ADQ), the Security gateway must have connectivity to the Domain Controllers via DCE-RPC (port 135, and later a dynamic coordinated port), and LDAP / LDAP over SSL, according to your Domain Controller configuration. (Note: LDAP over SSL must be configured explicitly on your Domain Controllers).

Configuring the Firewall

If a Security Gateway is located between the Security Gateway with Identity Awareness/log server and the Active Directory controller, configure the Firewall to allow WMI traffic. If this is the case See To create Firewall rules for WMI traffic (below)

During the First Time Configuration Wizard. SmartDashboard – Domain Controller communication

In order for the wizard to be able to configure AD Query (ADQ), it must have connectivity to the Domain Controller. For this step, connectivity includes both TCP/IP connectivity (i.e., pings) and being able to perform DNS queries for it (i.e., running ‘nslookup’, ‘set type=srv’, ‘_ldap._tcp.your_domain.here’ succeeds). It is preferable to run the wizard from a computer that is a Domain Member, since then it can detect and configure all of the Domain Controllers. If you run it from a computer that is not a Domain Member, only one Domain Controller (that is entered manually) is being configured, and you will have to enter the rest of them manually. If you do not have connectivity when running the first time wizard, you will have to create an LDAP account unit manually for AD Query (ADQ) to work.

 

To verify if the WMI service is running on the domain controller:

Click Start > Run.

Enter services.msc in the Run window.

Find the Windows Management Instrumentation service and see that the service started.

If it did not start, right-click this service and select Start.

 

Use wbemtest to Verify WMI to verify that WMI is functional and accessible.

Click Start > Run.

Enter wbemtest.exe in the Run window.

In the Windows Management Instrumentation Tester window, click Connect.

In the Connect window, in the first field, enter the Domain controller, in this format: \\<IP address>\root\cimv2

In the Credentials > User field, enter the fully qualified AD user name. For example: ad.company.com\admin

Enter a password for the user.

Click Connect.

If the Windows Management Instrumentation Tester window re-appears with its buttons enabled, WMI is fully functional.

If the connection fails, or you get an error message, check for these conditions:

Connectivity problems

Incorrect domain administrator credentials.

WMI service is not running

A Firewall is blocking traffic between the Security Gateway with Identity Awareness/log server and domain controller.

 

To verify your domain administrator credentials:

Click Start > Run.

Enter \\<domain controller IP>\c$ in the Run window. For example: \\11.22.33.44\c$.

In the Logon window, enter your domain administrator user name and password.

If the domain controller root directory appears, this indicates that your domain administrator account has sufficient privileges. An error message may indicate that:

If the user does not have sufficient privileges, this indicates that he is not defined as a domain administrator. Obtain a domain administrator credentials.

Be Sure:

You entered the incorrect user name or password. Check and retry.

The domain controller IP is incorrect or you are experiencing connectivity issues.

Verify the WMI Service is running.

 

Confirm that Security Event Logs are Recorded

If you have checked connectivity but still do not see identity information in logs, make sure that the necessary event logs are being recorded to the Security Event Log.

AD Query reads these events from the Security Event log:

Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770.
Windows 2012 servers: 4624, 4768, 4769, 4770

Make sure you see the applicable events in the Event Viewer on the domain controller (My computer > Manage > Event Viewer > Security). If they are not there however follow theses steps:
The Audit Policy is defined from the Group Policy Management editor.
1.Log on to Windows Domain Controller server with an account that has Administrator rights.
2.Make sure that the Group Policy snap-in is installed.
3.Open the Group Policy Management Console (GPMC).
4.Navigate to “Default Domain Controller’s Policy”:
Group Policy Management Console -> Domain Controllers -> Default Domain Controllers Policy
5.Right-click on the ‘Default Domain Controllers Policy’ and click on “Edit”.
6.From the Group Policy Management Editor, navigate to “Audit Policy” node:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
7.From the right pane, double-click the policy that you want to configure (enable/disable):
8.Configure:

Group_Policy_Management

◦”Audit account logon events” – select both “Success” and “Failure”.
◦”Audit account management” – select both “Success” and “Failure”.
◦”Audit directory service access” – select “Success” (for GPO and OU Auditing).
◦”Audit logon events” – select both “Success” and “Failure” (for Local Logon auditing).

To create Firewall rules for WMI traffic:

In SmartDashboard > Firewall, create a rule that allows ALL_DCE_RPC traffic:

Source = Security Gateways that run AD Query

Destination = Domain Controllers

Service = ALL_DCE_RPC

Action = Accept

Save the policy and install it on Security Gateways.

Note – If there are connectivity issues on DCE RPC traffic after this policy is installed, see sk37453 for a solution.

For an in depth look as to how AD query and WMI work look at sk60301

 

References:

 

sk60301

sk37453

sk99006

R77 Identity Awareness R77 Versions Administration Guide