RSA NetWitness Platform: Error! 401/Unauthorized.Possible causes:- Event source (Host) does not map to a Kerberos Realm due to Incorrect CN name used in Windows Server

Issue

• Windows server side

• Netwitness collector /var/log/messages show below error.

• Running below commands gives authentication success with windows collection user.

• klist -A shows both TGT and Service Tickets.

Cause

This issue was due to incorrect CN configured on Windows server-side instead hostname. This can be identified using  setspn -Q HTTP/ * command.

sample output:

Resolution

Please use below steps for fixing this.

1. Add an alias for the system in /etc/hosts file on the logcollector i.e. prefix or suffix a unique string to the hostname portion of the fqdn. eg. NW-Test.DELL.CORP.EMC.IN (added NW- as a prefix to hostname portion of fqdn) 
2. Run below setspn command on Windows Server. This will add a new unique spn to Active directory and map it to the hostname.                                  setspn -A HTTP/NW-Test.DELL.CORP.EMC.IN Test 
3. On Netwitness W UI, add the event source to the collector using the new alias as the hostname i.e. NW-Test.DELL.CORP.EMC.IN and test connection to get success.

Notes

If still issue persists, Please check below additional knowledge articles.
https://community.rsa.com/docs/DOC-47791 
https://community.rsa.com/docs/DOC-47129
https://community.rsa.com/docs/DOC-47128
https://community.rsa.com/docs/DOC-47118

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This article outlines the procedure to correct Windows CN configuration to fix 401 errors during winrm configuration.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue