000012983 - WinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012983
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
Microsoft WinRM
IssueWinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics.

WinRM collection might not work with the following errors on Log Collector logs:



May  8 12:14:29 xxxxxxxx nw[5906]: [WindowsCollection] [failure] [eventsourcename.example_com] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source eventsourcename.example.com: 401/Unauthorized.Possible causes:- Event source (eventsourcename.example.com) does not map to a Kerberos Realm.


Resolution

To Resolve the issue, follow the steps below.


1. In the Log Collector, open the /et/krb5.conf.


2. Add rdns=false under [libdefaults].


3. Save the file.


4. In the Security Analytics user interface configure the Event Source using the FQDN, not the IP address.


5. Restart the Wiindows collection from the Security Analytics user interface

NotesIf rdns is set to false, it prevents the use of reverse DNS resolution when translating hostnames into service principal names.  The default is set to true.  Setting this flag to false is more secure, but  forces users to exclusively use fully qualified domain names when authenticating to services.
Legacy Article IDa65532

Attachments

    Outcomes