000017422 - RSA NetWitness WinRM error: 'Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017422
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector, Microsoft WinRM
RSA Version/Condition: 10.6.x, 11.x
IssueRSA NetWitness WinRM error: "Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized"

When attempting to add a Microsoft Windows Domain Controller event source with WinRM, a similar error appears in the NetWitness Log Collector log, where in this example 192.168.1.199 is the IP address of a Microsoft Windows Domain Controller:



         Unable to subscribe for events with Windows event source 192.168.1.199: 401/Unauthorized.
 




Unable to subscribe for events with Windows event source 192.168.1.199: 401/Unauthorized.
Possible causes: - Event source (192.168.1.199) does not map to a Kerberos Realm.
Krb5CredCacheWrapper: Cannot contact any KDC for requested realm while getting initial credentials
Cause

In the example error above, the event source IP address 192.168.1.199 is not resolvable in DNS to a FQDN.
This can be verified by using the following command: nslookup 192.168.1.199



If the correct FQDN is not returned, then the IP address will not resolvable.
This error can also occur when the FQDN does not map to a Kerberos Realm.

ResolutionWhen configuring WinRM for a Windows Domain Controller event source, the FQDN should be used, not an IP address.

In the NetWitness UI, Admin > Services > {Log Collector} > Config, Event Sources tab
Select Windows in the dropdown
Delete the Windows Domain Controller entry under, Event Categories > Hosts, where the Event Source Address is an IP address
Add a new Windows Domain Controller entry, where the Event Source Address is the FQDN of the Windows Domain Controller server.

Ensure the NetWitness Log Collector appliance is able to resolve the configured FQDN to the correct IP address.
NotesThe FQDN (Fully Qualified Domain Name) is a DNS name that uniquely identifies the computer on the network.
An FQDN is a concatenation of the hostname and the primary DNS suffix, and is delimited with periods.
An example of an FQDN format is hostname.mydomain.com
Legacy Article IDa65455

Attachments

    Outcomes