Winrm Log Collection: Can I use multiple accounts for the same domain when collecting logs via winrm?
Originally Published: 2015-09-18
Article Number
Applies To
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.X
Issue
Initally Log Collection may work, but will eventually break when the kerberos ticket for the other user is renewed.
The following will be seen in the logs
[root@REMOTELOGCOL ~]# tail -f /var/log/messages |grep -i kerberos Sep 18 07:56:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:57:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:58:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [info] Fetched Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh03_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh03.waugh.local: 401/Unauthorized.Possible causes:- Event source (dwaugh03.waugh.local) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh05_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh05.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh05.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh10_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH10.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH10.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh14_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH14.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH14.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh21_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh21.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh21.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh23_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH23.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH23.WAUGH.LOCAL) does not map to a Kerberos Realm. [root@REMOTELOGCOL ~]# klist -A Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktI9UDv4 Default principal: RSALOGCOLLECTOR@WAUGH.LOCAL Valid starting Expires Service principal 09/18/15 07:58:00 09/18/15 17:57:53 krbtgt/WAUGH.LOCAL@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh03.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh05.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh10.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh14.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh21.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh23.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/ecat.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:03 09/18/15 17:57:53 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:03 09/18/15 17:57:53 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt0j1onp Default principal: winrm@WAUGH.LOCAL Valid starting Expires Service principal 09/18/15 07:53:00 09/18/15 17:52:52 krbtgt/WAUGH.LOCAL@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh05.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh10.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh03.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:04 09/18/15 17:52:52 HTTP/dwaugh14.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:04 09/18/15 17:52:52 HTTP/dwaugh21.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:05 09/18/15 17:52:52 HTTP/dwaugh23.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:05 09/18/15 17:52:52 HTTP/ecat.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:11 09/18/15 17:52:52 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00
Cause
http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#twoprincs
In most Kerberos implementations, there can only be a single principal per credential cache (or ticket file). You can however choose which cache to use by setting the KRB5CCNAME (in V5) andKRBTKFILE (in V4) environment variable.
As a single Kerberos Ticket file is used in the logcollector located at
export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir
then multiple users in the same domain are not possible.
Resolution
Workaround
Notes
Related Articles
Controlling multiple account prompting in Global Forms for RSA Identity Governance & Lifecycle 7.1 Number of Views Web Services updateReviewItems cannot update multiple accounts belonging to the same business source having the same entit… Number of Views Microsoft Outlook on the Web 2016 - RSA Ready SecurID Access Implementation Guide Number of Views Approval items that are rejected by email and have multiple concurrent approvers may potentially be provisioned in RSA Ide… Number of Views Troubleshooting Wildfly clustering Multi-cast connectivity for RSA Via Lifecycle and Governance Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle RSA Authenticator 6.2.2 for Windows Administrator Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
