How to configure security events collection by using Audit Collection Services from computers in untrusted environment?

As you may know, in order to enable SCOM Agent-based monitoring of devices in untrusted environment (such as workgroup computers), SCOM Agent must be configured for certificate-based authentication.

If you want to go further and decide to collect security events from such computers by leveraging Audit Collection Services feature (assuming that the appropriate infrastructure for ACS is in place), you will soon notice that it does not work without additional configuration of ACS Collector, as well as ACS Forwarder components.

The following event in Operations Manager event log indicates that AdtAgent service running on ACS Forwarder is unable to authenticate against the ACS Collector:

Event Type:       Warning
Event Source:   AdtAgent
Event Category:               None
Event ID:             4369
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder unsuccessfully tried to connect to the following collector(s):
<<ACS Collector computer name>>:51909, status: 0x40 (TCP connect), source: registry addresses tried: <<ACS Collector IP address>>:51909

Similar to the System Center Management service (HealthService) which you have probably already configured for the certificate-based authentication by using the MOMCertImport.exe tool, ACS Collector and ACS Forwarder(s) must also be configured for certificate-based authentication.

To configure “Operations Manager Audit Collection Service” (AdtServer) running on the ACS Collector for certificate-based authentication, run AdtServer.exe –c command (by default, it is located in the %SYSTEMROOT%\System32\Security\AdtServer folder.

To configure “Operations Manager Audit Forwarding Service” (AdtAgent) running on the ACS Forwarder for certificate-based authentication, run AdtAgent.exe –c command (by default, it is located in the %SYSTEMROOT%\System32 folder.

Once this is done, AdtAgent will still be unable to authenticate. However, in this case you will see the following error in the Operations Manager event log (note that error number is different).

Event Type:       Warning
Event Source:   AdtAgent
Event Category:               None
Event ID:             4369
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder unsuccessfully tried to connect to the following collector(s): <<ACS Collector computer name>>:51909, status: 0x2746 (TCP connect), source: registry addresses tried: <<ACS Collector IP address>>:51909

Last step required to resolve this problem is to create name mapping to the certificate in the Active Directory environment where ACS Collector is located. In order to do that, you must first export computer certificate from the ACS Forwarder into the DER encoded binary X.509 (.CER) file. Then, create an “empty” computer account whose name must match NetBIOS name of ACS Forwarder. Right-click on the newly created computer account and then select Name Mappings option. Under the Security Identity Mapping option, import X.509 certificate. After that, make sure to restart AdtAgent service on the ACS Forwarder. It should now successfully authenticate against the ACS Forwarder, followed by this event in the Operations Manager event log:

Event Type:       Information
Event Source:   AdtAgent
Event Category:               None
Event ID:             4368
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder successfully connected to the following collector: <<ACS Collector computer name>>:51909, status: 0x0 (success), source: registry addresses tried: <<ACS Collector IP address>>:51909

For more information, refer to the following Microsoft TechNet articles:

This whole process is also explained in the Operations Manager 2007 Security Guide which is available as free download from Microsoft, as well as in the System Center Operations Manager 2007 Unleashed book.

Advertisements
How to configure security events collection by using Audit Collection Services from computers in untrusted environment?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s