000037921 - RSA NetWitness Platform: "Error! 401/Unauthorized.Possible causes:- Event source (Host) does not map to a Kerberos Realm" due to Incorrect CN name used in Windows Server

Document created by RSA Customer Support Employee on Oct 11, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037921
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Issue
  • Windows server side

Powershell -File winrmconfig.ps1 -Action enable -ListenerType http -User <username> gives error as below.
winrm


  • Netwitness collector /var/log/messages show below error.


Jul 24 08:57:31 Host NwLogCollector[9842]: [WindowsCollection] [failure] Error! 401/Unauthorized.Possible causes:- Event source (Test.com) does not map to a Kerberos Realm


  • Running below commands gives authentication success with windows collection user.

export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir 
kinit -V <CollectionUser@DOMAIN>


  • klist -A shows both TGT and Service Tickets.
CauseThis issue was due to incorrect CN configured on Windows server-side instead hostname. This can be identified using setspn -Q HTTP/<hostname>* command.

sample output:

C:\Windows\system32>setspn -Q HTTP/Test*
Checking domain DC=DELL,DC=CORP,DC=EMC,DC=IN
CN=MBAM_IIS,OU=Generic ID,DC=DELL,DC=CORP,DC=EMC,DC=IN
http/encrypt.EMC.com
http/Test.DELL.CORP.EMC.IN
http/Test

Existing SPN found!
ResolutionPlease use below steps for fixing this.
  1. Add an alias for the system in /etc/hosts file on the logcollector i.e. prefix or suffix a unique string to the hostname portion of the fqdn. eg. NW-Test.DELL.CORP.EMC.IN (added NW- as a prefix to hostname portion of fqdn) 
  2. Run below setspn command on Windows Server. This will add a new unique spn to Active directory and map it to the hostname.                                  setspn -A HTTP/NW-Test.DELL.CORP.EMC.IN Test 
  3. On Netwitness W UI, add the event source to the collector using the new alias as the hostname i.e. NW-Test.DELL.CORP.EMC.IN and test connection to get success.
NotesIf still issue persists, Please check below additional knowledge articles.
https://community.rsa.com/docs/DOC-47791 
https://community.rsa.com/docs/DOC-47129
https://community.rsa.com/docs/DOC-47128
https://community.rsa.com/docs/DOC-47118


 

Attachments

    Outcomes