From what I can tell the Investigator client only can leverage local accounts to the broker/concentrator service.
Is that correct?
yes it still works, I just sent you the old document.
In an older version you could configure a Broker/Concentrator with the correct PAM settings and get it to work with Kerberos authentication (using Investigator thick client). This may still be an option in newer versions.
Thanks John I'll review the doc and test it out, appreciate it.
Could you post that article please? I think that the majority of people using the investigator would at least like to know about this option if not leverage. In reality, I would think that only a fraction of customers would be using static accounts.
Even if it's something old, as long as it hasn't been superseded, I don't understand why RSA documentation team wouldn't incorporate it into the 146 page user guide.
I'll do that, unfortunately, it won't let me attach a file to this thread, so I'll create an article with the document in it.
As for why RSA doesn't have this in the User Guide, they don't want you to use the thick client, they want you to use the UI for everything, it's that simple. Yes, I agree, there should be a guide available with the thick client that shows how to enable external PAM authentication for the core services (be it Kerberos, SecureID, LDAP, etc.).
Makes sense. Thank you John!
In that case I would suggest to RSA Marketing to stop making software that they don't want their customers to use and focus their engineering and documentation resources on the core releases that could be improved.
So far UAT testing looks good and hasn't broken the web interface AD integration via LDAP queries. I'll keep testing and then look at slowly deploying out.
Only negative it seems is I have to manually create a local account with Auth Type as External on any service that'll be connected to via the NetWitness Investigator client.
Yes, since you are totally bypassing the UI, you are working directly with the Core Device Security, and will have to create accounts on those devices, assign them a Role (group) and set them to external. This is no different than if you have an account for doing REST or NwConsole connections to the core devices.
FYI, i have put in a request for 11.x (no idea what version it may come in) to add a checkbox on the SA UI accounts, to "replicate to core devices" where it will bring up a pop-up and let you select the devices you want the account to be pushed to, it the account is using "external" auth on SA, then it will be set to use external auth on the core devices (of course that implies that you have some form of external PAM authentication configured on those devices.
Retrieving data ...