Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Apr 2017
    Posts
    2

    Default Active Directory Login Monitor - Server 2012 R2 and Windows 10

    This took me a long time to figure out, so I hope it helps others.

    According to Untangle's "Active Directory Login Monitor Installation" guide (https://support.untangle.com/hc/en-u...r-Installation), only "Audit Kerberos Authentication Service" needs to be enabled in Local Security Policy in order to send login events to Untangle. This did not work for me in my environment. However, when I also enabled "Audit Other Account Logon Events" it works:

    Local Security Policy.PNG

    These events are in the DC's event log (Event Viewer\Windows Logs\Security).
    • Event ID: 4768
    • Task Category: "Kerberos Authentication Service"


    My environment:
    • DC: Microsoft Windows Server 2012 R2 Standard (Version 6.3, Build 9600)
    • Client: Microsoft Windows 10 Pro (Version 1607, Build 14393.1066)


    Note: When a user logs off, it is sent to the API as an "update" action, not a "logout" action. This means that if a local user account logs in afterwards, they will fall under the previous domain user's Untangle policy. Untangle support said this is how it is: "The update event is intended and expected. No logout events."

    Cheers

  2. #2
    Newbie
    Join Date
    Apr 2017
    Posts
    10

    Default

    Great post! Thank you!

  3. #3
    Untanglit
    Join Date
    Aug 2009
    Posts
    28

    Default

    Thank you for this information! Do you have any other settings that you applied? My Server 2012 R2 AD still will not pass any login information to Untangle. I have to use the login script. At another client site, information is passed, but it's incorrect.

  4. #4
    Master Untangler
    Join Date
    May 2010
    Posts
    436

    Default

    Sorry to drag up an old thread - ran across this while searching for another item...

    I have two Server 2016 DCs, but I installed the active directory connector on both of them per the guidance Untangle gives for Server 2012 R2 servers ( https://support.untangle.com/hc/en-u...s/115008018487 ). I did not change "Audit Other Account Logon Events". My logon events are all getting relayed to untangle correctly.

    Weird that the OP had to do something different.

    Jason
    Last edited by JasonJoel; 07-18-2017 at 07:07 PM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,722

    Default

    Group Policy doesn't always work out the way you want. I'll bet he has a conflicting policy somewhere. Auditing Kerberos Authentication Service should be all that's required. However, the directions have you changing a local server policy, and I've never done this because it can be unreliable on domain controllers. I prefer to create a policy linked to the domain controller's OU, and enable the policies there. I'll then filter out DCs I don't want modified if necessary.

    But, Untangle isn't Microsoft. Supporting Microsoft GPOs opens a can of worms that is best solved by MCSEs that know how to do these things. The instructions are a very simple and effective way to make things work, but not necessarily the best.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Apr 2017
    Posts
    2

    Default

    Quote Originally Posted by JasonJoel View Post
    I have two Server 2016 DCs...I did not change "Audit Other Account Logon Events". My logon events are all getting relayed to untangle correctly.
    Which OS are the clients using? In this lab I have a single Windows 10 Pro client.

    Quote Originally Posted by sky-knight View Post
    I'll bet he has a conflicting policy somewhere.
    I was playing around with an audit GPO, but currently it is not applied.

    However, something I learned during this testing was that advanced audit policies negate regular/basic audit policies:

    Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
    From: What is the interaction between basic audit policy settings and advanced audit policy settings?

  7. #7
    Master Untangler
    Join Date
    May 2010
    Posts
    436

    Default

    All my clients are Windows 10 Pro.
    Last edited by JasonJoel; 08-01-2017 at 11:50 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2