Troubleshooting Directory Connector With Login Monitor on Windows Server

Overview

Active Directory Login Monitor is a small user agent which must be installed to all Active Directory domain controllers when integrating NG Firewall with Active Directory. This software watches for events  such as Login and Update which are written to the Security log and sends them to NG Firewall.

In most cases, simply installing the agent is all that's required. However, there are some settings in Active Directory that, if not set properly, can cause the Login Monitor not to send login events to NG Firewall. This article provides some suggested steps and settings to check.

 

Important note re: Windows Firewall settings

Note that most versions of Windows Server newer than 2012 require ports 80 & 443 to be open in the Windows Server's built-in firewall. The default configuration of that firewall will block those ports.

 

Settings in Windows Server 2012 R2 and earlier

The following settings and related images are from Windows Server 2012 R2. These settings should exist in other versions of Windows Server but may be located in slightly different locations.

 

Audit Kerberos Authentication Service

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.
  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Account Logon
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  3. Double click Audit Kerberos Authentication Service
    AD2012-AuditKerberosAuthentication.jpg
    Clicking the image above will load it, full-size, in a new window.

  4. Under the Policy tab check the Configure the following audit events and the Success check Boxes.
    AD2012-AuditKerberosAuthentication2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Audit Logoff

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Logon/Logoff
  3. Double click Audit Logoff
    AD2012-AuditLogoff.jpg
    Clicking the image above will load it, full-size, in a new window.

  4. Under the Policy tab check the Configure the following audit events and the Success check boxes.
    AD2012-AuditLogoff2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Audit Logon

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Logon/Logoff

  3. Double click Audit Logon
    AD2012-AuditLogon.jpg
    Clicking the image above will load it, full-size, in a new window.
  4. Under the Policy tab check the Configure the following audit events and the Success check boxes.
    AD2012-AudtiLogon2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Follow
Was this article helpful?
5 out of 10 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk