Security Network Protection Passive Authentication is logging events from authenticated users as "unauthenticated user"

Troubleshooting

Problem

Passive Authentication on the Security network Protection (XGS) sensor is logging events as "unauthenticated user" when the user should be authenticated.

Symptom

The XGS is logging events from an authenticated user as "unauthenticated user" even though the Logon Event Scanner is installed on the Active Directory Domain Controller (AD DC) and the user should be authenticated.

Resolving The Problem

For this to work properly, you must configure the AD DC to Audit account logon events and Audit logon events.

Open the Windows Local Security Policy on the AD DC (run > secpol.msc).
Go to Local Policies > Audit Policy.
Ensure that auditing is configured for Audit account logon events and Audit logon events as shown in the screen capture below (to Success for successfully logins and Failure for failed attempts).

The Logon Event Scanner is then able to read these and forward the user data to the XGS.

[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Identity","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Was this topic helpful?

Document Information

More support for:
IBM Security Network Protection

Software version:
5.3.2, 5.3.3

Document number:
547145

Modified date:
24 January 2021

UID

swg21980531

IBM Support

Tips