- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-05-2022 05:38 AM
Hi,
We tried this: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configur...
It seems like config is OK but we are getting "kerberos error" in status ofr this server monitored. Where can we see whats happening about this error? useridd logs doesnt show anythimng.
07-05-2022 09:19 AM
I recently changed to WinRM-HTTP and I am seeing the same thing. From the cli if I look at the log, I can see that I have an error "KDC has no support for encryption type.
The error is at the end of the log when you use Shift-G after entering less mp-log useridd.log from the cli.
I am not sure why I am getting this error, and trying to figure it out.
For the service account I am using, I have turned on the option to use aes128-cts-hmac-sha1-96, but I am still getting the error.
The DC is a Windows 2012R2 server.
07-05-2022 05:25 PM
As @sgoethals mentioned you should check the useridd.log file to check for errors, and you can also build out an authentication-profile with your Kerberos profile so that you can test authentication to ensure that it's setup properly. I'd also just check with your server team that they've enabled it on their end, as this is usually restricted during standard hardening standards.
07-06-2022 05:10 AM
After spending quite a bit of time on this, I determined a resolution to my issue.
The newer encryption methods that use AES are supported in 2012R2. This is the OS, that I am using on the domain controllers (for just a little longer), however, the functional level of the domain was set to 2008. Once I updated the functional level, the Kerberos error went away and an "access denied" error showed up. The is happened because I had not made the service account a member of the Windows Group Remote Management.
Once I made the service account a member of this group the error went away, and I was able to connect via WinRM-HTTP.
Good luck on your resolution.
07-08-2022 01:48 AM
We check the useridd logs an we only see this kind of events:
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=249, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-390c0b0affff0000, new_cp=7, new_uid=380, old_cp=7, old_uid=636, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=251, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=1542, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=248, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=672, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-390c0b0affff0000, new_cp=7, new_uid=472, old_cp=7, old_uid=636, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-390c0b0affff0000, new_cp=7, new_uid=257, old_cp=7, old_uid=636, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=476, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=255, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=90, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.610 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=410, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=933, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=258, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=933, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-390c0b0affff0000, new_cp=7, new_uid=257, old_cp=7, old_uid=636, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=416, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=246, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-390c0b0affff0000, new_cp=7, new_uid=472, old_cp=7, old_uid=636, gp_user=0
2022-07-08 09:04:39.611 +0200 ignore the user logged in at the same time: ts=1657263879, ip=0-1e0c0b0affff0000, new_cp=7, new_uid=249, old_cp=7, old_uid=250, gp_user=0
2022-07-08 09:04:50.333 +0200 ignore the user logged in at the same time: ts=1657263866, ip=0-900c010affff0000, new_cp=7, new_uid=385, old_cp=7, old_uid=555, gp_user=0
2022-07-08 09:04:55.581 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-920c010affff0000, new_cp=7, new_uid=548, old_cp=7, old_uid=545, gp_user=0
2022-07-08 09:04:55.581 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-920c010affff0000, new_cp=7, new_uid=1516, old_cp=7, old_uid=545, gp_user=0
2022-07-08 09:04:55.581 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-900c010affff0000, new_cp=7, new_uid=198, old_cp=7, old_uid=507, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-920c010affff0000, new_cp=7, new_uid=546, old_cp=7, old_uid=545, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-920c010affff0000, new_cp=7, new_uid=204, old_cp=7, old_uid=545, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-a90c010affff0000, new_cp=7, new_uid=547, old_cp=7, old_uid=189, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-920c010affff0000, new_cp=7, new_uid=551, old_cp=7, old_uid=545, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-900c010affff0000, new_cp=7, new_uid=447, old_cp=7, old_uid=507, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-900c010affff0000, new_cp=7, new_uid=385, old_cp=7, old_uid=507, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-9d0c010affff0000, new_cp=7, new_uid=553, old_cp=7, old_uid=492, gp_user=0
2022-07-08 09:04:55.582 +0200 ignore the user logged in at the same time: ts=1657263895, ip=0-9d0c010affff0000, new_cp=7, new_uid=669, old_cp=7, old_uid=492, gp_user=0
----------------
where we can see the "kerberos error" showed in monitored server useridd?
08-16-2022 08:04 PM
Hi Team,
Have you resolved this issue ?, I am having same issue and I am getting error in server 2016.
08-17-2022 10:17 AM - edited 08-17-2022 10:23 AM
Sometimes enabling AES128 and AES256 encryption on the service account in active directory isn't enough. You also must reset the password of the service account. You can have a look at my post.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!