Article Content
Article Number | 000013416 |
Applies To | RSA Security Analytics RSA Security Analytics Log Collector Microsoft WinRM |
Issue | Error message "Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized" on an RSA Security Analytics Log Collector. The /var/log/messages file reports errors similar to the following:
|
Resolution | In order to resolve the issue, follow the steps below.
1. Review the Kerberos Ticket Granting Tickets (TGT) on the Log Collector. The klist command generates log messages on the status of the TGT and service tickets for each of the Kerberos Realms, export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktvl5iTI Valid starting Expires Service principal Where the Kerberos tickets exist there should be displayed an entry for all Hosts in all Realms. When Kerberos Ticket Granting Tickets (TGT) is successful the /var/netwitness/logcollector/runtime/krb5_ccache_dir directory should contain the file, primary, and a tktaaaaaa (where aaaaaa is alphanumeric characters) for each Realm. The file primary will contain the name of the tktaaaaaa file which is the Primary Realm. strings tktaaaaaa 2. Run the kinit command to test the login with the Ticket Granting Tickets (TGT), to the KDC Server. export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir Using new cache: :/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt9L3aAR Where Enter the known password for the login name, and confirm the Kerberos authentication is successful.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance. |
Legacy Article ID | a67089 |