Active Directory Login Monitor Installation
Quick Links
Click an item to jump directly to that section.
Overview
The Active Directory Login Monitor is a small piece of software that is installed on all of your Domain controllers. The Login Monitor detects when users logon to your domain and sends that information to the NGFW appliances to be used in reporting and grouping.
IMPORTANT: The Login Monitor will need to be running on all domain controllers that are on the network to “catch” the authentications from those Servers.
Installation
The Active Directory Login Monitor can be downloaded here. https://downloads.untangle.com/public/UntangleActiveDirectoryMonitorSetup.exe
Configuration
Next Generation Firewall
After installation you will be prompted with the configuration settings. The NGFW IP will need to entered in for the logins to be sent to those devices.
Secret Key
This is a secret key that is used when sending logins to the NGFW server. This allows the server to only trust logins that provide the correct Secret Key.
NOTE: This field is required as of v 0.1.10.37. You will set it in the UI here:
IP Addresses
This will be the IP of your NGFW server.
Exempt IP Addresses
During the setup process IP exemptions should entered for network nodes that you do not want to see logins from. These are generally Terminal servers, Batch file logins and servers.
Exempt Users
Exempt users section is used to exempt users that you do not want to see logins from. These are generally SQL server logins, batch file logins etc that are used to run programs/ installations on workstations.
Additional Troubleshooting
User Notification API Testing
Directory Connector utilizes a web API to allow devices and servers to tell the NGFW that a user has logged in on a specific IP address. A complete guide for how to use the API for testing can be found here:
Directory Connector API Usage Guide
Additionally, you can test that the Login monitor is able to access the API using a built-in Test button.
Kerberos and other Active Directory Settings
*Manually enabling Kerberos Auditing/Authentication only needs to be done on Windows Server 2008 and above.
**Due to some Windows Server 2008 and 2008 SBS not having an Advanced Auditing section these servers cannot be used unless you are able to push a group policy from a 2008 R2 or above server that has the option on the domain.
Audit Kerberos Authentication needs to be enabled on the domain controller that Directory Login Monitor runs on. This is done by enabling it in the “Local Security Policy”. By default this is generally enabled. Due to configuration changes that are made during the running of Windows servers it may not be enabled.
Server 2008 R2
- Open the Local Security Policy. On Server 2008 this can be done by clicking Start and typing in Local security policy and selecting it in the Start Menu.
- After Local Security Policy is open expand Advanced Audit Policy Configuration> System Audit Policies- Local Group Policy Object > Account Logon
- Under the Local Security Setting tab, Audit these attempts check the Success check box.
Server 2012 R2
Due to the variety of possible changes that directly impact Login Monitor in this version, we have created a separate article for it.
Troubleshooting Directory Connector with Login Monitor on Windows Server 2012 R2
Other Settings to check
There are other settings that exist on Windows Server that can have an effect on Directory Connector and Login Monitor. Below is a link from Microsoft's Technet that details these settings and how to check them.
https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx
Follow
Comments
4 comments
Article is closed for comments.
Will this work on DCs that are server core installs?
The application will work but not sure about the installer and service. Configuration GUI will not work but there is a settings.ini that can be edited with the information needed. If you need help with this please create a support case asking for assistance installing on a server core and we can see if we can get it running on a core install for you.
What is the impact on the servers? What have you seen in large deployments? 4k + users. The cymdir method seemed to distribute the load on the device and the appliance. This method includes the windows server.
Shawn, Impact varies due to hardware on the devices and the services, software, features being used on the servers. Resource wise is generally low due to most environments having multiple DC's. We suggest for redundancy that Cymdir.exe be used along with the Active directory Login monitor.