|Applies To||RSA Product Set: NetWitness Endpoint, ECAT|
RSA Product/Service Type: Database
RSA Version/Condition: 4.2.x
Platform (Other): SQL 2014 Standard/Enterprise, SQL 2012 Standard/Enterprise, SQL 2008 Standard/Enterprise
|Issue||When the SQL server is physically separate from the Netwitness Endpoint server, permissions become more complicated. It is recommended that the QueuedData folder be placed on the SQL server in this situation, but this not always feasible. If the QueuedData directory is on the Netwitness Endpoint server it must be shared and you must specify the path to QueuedData in UNC form in the ConsoleServer.exe.config file.|
The process to update the kernel data is:
When the SQL Server service attempts to bulk insert the KernelData.csv file it fails with the following error:
|Cause||Although Windows will allow you to use impersonated credentials to access local resources, it won't allow you to use impersonated credentials to access a remote resource by default. |
The SQL Server service account needs to be trusted for delegation to allow double-hop authentication.
|Resolution||Delegation is the act of a principal (Service) impersonating another principal (user) to gain access to a 3rd principal (QueuedData share). By enabling delegation, the SQL server is allowed to use the credentials of the ConsoleServer service account to access \\NWEServer\QueuedData\kerneldata.csv|
Kerberos delegation is the act of a principal (Service) impersonating another principal (Console Server service account) to gain access to a 3rd principal (QueuedData share). By enabling delegation, the SQL server is allowed to request a Kerberos ticket-granting it access to \\ECATServer\QueuedData\kerneldata.csv on behalf of the ConsoleServer service account. The TGT and TGS session key are forwarded to SQL by the ConsoleServer service account and it uses them to authenticate the connection to the QueuedData share.
To configure the needed delegation for this scenario, change the radio button in AD as shown below:
Note: The configuration of constrained delegation (the “Trust this user for delegation to specified services only” radio button) is beyond the scope of this document and has not been tested as of the writing of this document.
In some cases, there may not be a delegation “tab” present. The service account must have a Service Principal Name (SPN) attribute value set before the Delegation tab appears.