.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness LogCollector: Error! 401/Unauthorized.Possible causes:- Event source (Host) does not map to a Kerberos Realm due to clock difference.
Issue
- NetWitness collector /var/log/messages show below error when windows server test connection done.
May 24 08:57:31 Host NwLogCollector[9842]: [WindowsCollection] [failure] Error! 401/Unauthorized.Possible causes:- Event source (Test.com) does not map to a Kerberos Realm
- nslookup for windows server working well for both IP address and fqdn.
- Running below commands in Collector shows both TGT and Service Tickets.
export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir
klist -A
klist -A
- The following example shows a typical klist output:
Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktdawC0c
Default principal: collectoruser@2K8R2-VCLOUD.LOCAL
Valid Starting Expires Service Principal
02/03/16 07:41:51 02/03/16 17:41:51 krbtgt/2K8R2-VCLOUD.LOCAL@2K8R2-VCLOUD.LOCAL
renew until 02/10/16 07:41:51
Addresses: (none)
02/03/16 07:43:51 02/03/16 17:41:51 HTTP/2k8r2-dc1.2k8r2-vcloud.local@2K8R2-VCLOUD.LOCAL
renew until 02/10/16 07:41:51
Addresses: (none)
Default principal: collectoruser@2K8R2-VCLOUD.LOCAL
Valid Starting Expires Service Principal
02/03/16 07:41:51 02/03/16 17:41:51 krbtgt/2K8R2-VCLOUD.LOCAL@2K8R2-VCLOUD.LOCAL
renew until 02/10/16 07:41:51
Addresses: (none)
02/03/16 07:43:51 02/03/16 17:41:51 HTTP/2k8r2-dc1.2k8r2-vcloud.local@2K8R2-VCLOUD.LOCAL
renew until 02/10/16 07:41:51
Addresses: (none)
- The ticket starting with krbtgt is the TGT ticket, while the one starting with HTTP is the service ticket.
-
We ran this tcpdump command and found the below:tcpdump -i any host Test.com -w kerb.pcapShowing the below error:
23 2021-06-03 14:52:42.686616 Test.comIP LCIP HTTP 358 Jun 3, 2021 14:52:42.686616000 India Standard Time KRB Error: KRB5KRB_AP_ERR_SKEW
Cause
This issue is due to clock difference between LogCollector and Windows Servers.
Resolution
Please make sure below all serves should have accurate system time.- NetWitness LogCollector,
- Windows server where logs to be collected,
- Domain Controller where tickets getting received
- Domain Controller where logging to (this can be identified by running "set" command in windows CMD prompt and look for LOGONSERVER).
Note: It is always better to maintain the same time across all these servers. However, this time difference would not expect more than 5 minutes.
Then please check the test connection for the windows server in LogCollector->Config->Event Sources->Windows/Config page which will be successful now.
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: Core Appliance
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9
Summary
This document outlines the procedure pass test connection for window server log collection.
Approval Reviewer Queue
Technical approval queue