1

I have various services configured to authenticate against Active Directory. It would be very helpful if they all logged authentication failures, but they don't. This makes debugging even a simple "incorrect password" error very frustrating.

Is it possible to watch in realtime (or later) authentication attempts against AD?

The AD is Windows Server 2003.

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
  • From where? A linux workstation or a Windows PC? Have you checked out wireshark? – wolfgangsz Aug 18 '10 at 17:05
  • "From Where" is irrelevant, but in this example, I'm using a web-based bug tracking program. Wireshark won't help because the requests are encrypted with Kerberos. I need logging. – Matt Simmons Aug 18 '10 at 17:08
  • Are these services/apps authenticating against your DC(s) or another source? – jscott Aug 18 '10 at 17:19
  • They are against my domain controllers (is there another way?) – Matt Simmons Aug 18 '10 at 17:24
  • In the *lovely* K12-software-world we have software that "does AD" by taking a night export from `csvde`. – jscott Aug 18 '10 at 18:04
  • We're also using MediaWiki, on Debian, to authenticate against AD. The DC's Security Event Log contains entries of success/failure for these MediaWiki logons, denoting the source address of the server. Are you looking for a way to `tail` or parse the Security EVT? – jscott Aug 18 '10 at 18:21

1 Answers1

0

I'm going to go with the get-eventlog cmdlet in PowerShell. This just dumps the latest entry in the application log:

Get-EventLog -ComputerName foo -LogName application -Newest 1

It just needs tweaking to limit it to authentication events and sources (-source), and to run it against a list of servers. Maybe schedule it to dump in daily or hourly increments (-after [time])? I'm clearly no scripting genius but it's what I've got. ;)

Kara Marfia
  • 7,892
  • 5
  • 33
  • 57