Troubleshooting Directory Connector With Login Monitor on Windows Server

When using Directory Connector you need to also deploy a method for Active Directory to send user login events to the NGFW. The simplest method is to install the Login Monitor on each Active Directory server.

 

In many cases that is all that needs to happen for everything to work smoothly. However, there are some settings in Active Directory that, if not set properly, can cause the Login Monitor to not send login events back to the NGFW.

 

Note: The following settings and related images are from Windows Server 2012 R2. These settings exist in other versions of Windows Server but may be located in slightly different locations.

 

Audit Kerberos Authentication Service

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.

  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Account Logon
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  3. Double click Audit Kerberos Authentication Service
    AD2012-AuditKerberosAuthentication.jpg
    Clicking the image above will load it, full-size, in a new window.

  4. Under the Policy tab check the Configure the following audit events and the Success check Boxes.
    AD2012-AuditKerberosAuthentication2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Audit Logoff

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Logon/Logoff

  3. Double click Audit Logoff
    AD2012-AuditLogoff.jpg
    Clicking the image above will load it, full-size, in a new window.

  4. Under the Policy tab check the Configure the following audit events and the Success check boxes.
    AD2012-AuditLogoff2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Audit Logon

  1. Open Local Policy Editor. On Server 2012 this can be done in Server Manager > Tools.
    AD2012-ServerManager.jpg
    Clicking the image above will load it, full-size, in a new window.

  2. After Local Security Policy is open expand Advanced Audit Policy Configuration > System Audit Policies- Local Group Policy Object > Logon/Logoff

  3. Double click Audit Logon
    AD2012-AuditLogon.jpg
    Clicking the image above will load it, full-size, in a new window.

  4. Under the Policy tab check the Configure the following audit events and the Success check boxes.
    AD2012-AudtiLogon2.jpg
    Clicking the image above will load it, full-size, in a new window.

 

Follow
Was this article helpful?
5 out of 10 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk