0

We've a Windows Event Collector in DOMAIN1. DOMAIN1 and DOMAIN2 have a two-way transitive forest trust. Events from sources in D1 are forwarding fine to the WEC in D1.

D2 is setup to communicate to the same FQDN subscription manager over http/5985 (Server=http://server1.domain1.com:5985/wsman/SubscriptionManager/WEC,Refresh=60). Source initiated event collection. Port 5985 is open and listening from D2 machines through WEC in D1.

Machines in D2 are getting this in their Eventlog-ForwardingPlugin Operational logs

The forwarder is having a problem communicating with subscription manager at address http://wec1.domain1.com:5985/wsman/SubscriptionManager/WEC. Error code is 2150858909 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909" Machine="server1.domain2.com"><f:Message>WinRM cannot process the request. The following error with errorcode 0xc0000413 occurred while using Kerberos authentication: An unknown security error occurred.
Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. </f:Message></f:WSManFault>.

[eventlog][1]

I don't know enough about kerberos to know if tickets from D2 can be used in D1 or somehow made to. Anyone got any ideas? I can't find much about this exact issue and WEF.

thanks [1]: https://i.stack.imgur.com/VVF0Y.png

divadiow
  • 1
  • 1
  • Since event collection is apparently WinRM-based, can you test whether the same WinRM works via `winrs` or PSRemoting (i.e. PowerShell's `Enter-PSSession`), using Kerberos auth of course? When the machine in D2 tries to call WinRM on D1, where does it stop – does it fail to get Kerberos tickets? (On the one hand, domain D2 being able to obtain Kerberos tickets from D1 is _literally_ what a domain/forest trust is supposed to allow, but on the other hand, that doesn't prevent services on D1 from denying access to "foreign" users based on e.g. group membership.) – user1686 Aug 06 '22 at 08:38
  • Similarly, can you test whether non-WinRM services work across domains (again using Kerberos)? SMB file share access as an example. – user1686 Aug 06 '22 at 08:39
  • hi. thanks for responding. You've pushed me in the right direction. our trust is set to selective authentication, so it turns out this is the issue: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/tgs-request-for-krbtgt-account-fails#resolution got to that after seeing the below in the system logs of a DC on DOMAIN2 40970 (LSA- LSASRV) LDAP/DC2.DOMAIN1.COM/DOMAIN1 Error "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. (0xc0000413)" – divadiow Aug 07 '22 at 16:45
  • confirmed by changing the auth to forest-wide temporarily – divadiow Aug 07 '22 at 16:48

0 Answers0