000032671 - RSA NetWitness - 401/Unauthorized error while integrating Windows Server 2008 Machine

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 18, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032671
Applies ToRSA Product Set: NetWitness Logs and Network
RSA Version/Condition: 10.5.x, 10.6.x
IssueThe user had a standalone Windows Server 2008 Server that isn't in a domain and is using basic authentication. Problem and error message seen when trying to collect logs from that Windows 2008 Server is as below:

User-added image
TasksNeed to confirm that the integration steps were done successfully.

  1. Create a non-Administrator User Account for NetWitness
  2. Add the User Account to the Event Log Readers Group
  3. Assign Privileges and Enable Remote Access
    1. winrm configsddl wmi
    2. wmimgmt
  4. Enable Windows Remote Management over HTTP
    1. winrm quickconfig
    2. winrm set winrm/config/service/auth '@{Basic="true"}'
    3. winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    4. wevtutil gl security wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)
    5. Create a new firewall rule to allow WinRM traffic into event sources
  5. Confirm username and password are correct.
Please refer to the document below for a full understanding of how to perform the steps above.

One step to confirm is that this computer does indeed allow access from the network. This isn't written in the documents because it is usually enabled by default.
ResolutionOn the Windows Server Machine perform the following:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. This opens the Local Security Settings console.
  2. In the Local Security Policy, expand Local Policy and click on User Rights Assignment.
  3. On the right side panel, you will find the Policy name "Access this computer from the network".
    User-added image
  4. Confirm that your user/group is allowed in this security setting by double-clicking on the policy. If not, you can add the group right away.
    User-added image
  5. Adding the group.

    User-added image