Join Log in
Score:0
Gorshok avatar Server

Windows event forwarding HTTPS Setup

sa flag
Gorshok

i succesfully created a simple WEF setup between two domain server (WS2019) it's all working great while it remain in HTTP protocol.

Once i try to take the leap to HTTPS, no more logs is going to the WEC server.

i got certificates on both host issued by the same CA i followed multiple procedures i found online and redo stuff while i was tshooting.

i can't manage to get this work.

on the wec server, in the winRm logs i always get "the The authorization of the user failed with error 5"

and on the client :

The forwarder is having a problem communicating with subscription manager at address https://:5986/wsman/SubscriptionManager/WEC. Error code is 5 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="myclientFQDN"><f:Message>The WinRM client cannot process the request. The destination computer (:5986) returned an 'access denied' error. Specify one of the authentication mechanisms supported by the server. If Kerberos mechanism is used, verify that the client computer and the destination computer are joined to a domain. Possible authentication mechanisms reported by server: Negotiate Kerberos ClientCerts </f:Message></f:WSManFault>.

i drop this here since i ran out of ideas Thanks

295
0 + 0
cn flag
Greg Askew
You need to specify if this is source or collector initiated. And the principal to which access is denied. It sounds like it may be the computer account.
0
Reply
Gorshok avatar
sa flag
Gorshok
you are right, sorry for the lack of details :
0
Reply
Gorshok avatar
sa flag
Gorshok
it's source initiated. but i think i figured it out. the thing is i was only trying to setup HTTPS but i didn't want to specifically go trought an authentication by certificate. so i think i managed to make HTTPS work while remaining on a Kerberos authentication.
0
Reply
Gorshok avatar
sa flag
Gorshok
on the source computer i specified the target subscription Manager like this : Server=https:// fqdnofcollector:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=<thumbprint of the CA certificate>. which i think would allow the use of HTTPS + cert authentication. now this was not working in this scenario.
0
Reply
Gorshok avatar
sa flag
Gorshok
i just removed the IssuerCA part in the string and now it's working. i think i'm now in this scenario : Https + kerberos auth i checked with Wireshark and it's indead HTTPS. So now it's working but i have no way to be sure i'm indeed using kerberos. but at least i reached the obejctive which was to enable log forwarding trough HTTPS
0
Reply
Gorshok avatar
sa flag
Gorshok
Does that mean if you specify the IssuerCA in the string you ask WinRM to use a certificate authentication and if you do not it fallback to an other authentication mechanism ? but which one ? to be sure i turned off all the authentication mecanism on the WEC : winrm set WinRM/Config/Client/Auth '@{Basic="false";Digest="false";Kerberos="true";Negotiate="true";Certificate="false";CredSSP="false"}' i kept "Negotiate" because that's ok i guess
0
Reply
cn flag
Greg Askew
Certificate authentication is enabled by default, but would not be used if 5986 wasn't enabled, a suitable certificate wasn't available or another authentication method was attempted successfully. If you want transport encryption but use Kerberos authentication I reckon that's possible and easy to test. Certificates are typically used in perimeter or untrusted networks where Kerberos is not an option.
0
Reply
Gorshok avatar
sa flag
Gorshok
yes, i think that's the road i'm gonna take. and if i need to collect logs outside of the domain i will just just gonna put a WEC server for every domain we need to collect logs from. which would allow us to only use kerberos in the entire environment.
0
Reply
Gorshok avatar
sa flag
Gorshok
But when a server start pushing logs to the wec server, how can i be sure they used kerberos as the authentication mecanism ? there is no such entry in the WinRM logs who confirm that
0
Reply
Score:0
Gorshok avatar Server
sa flag
Gorshok

To make HTTPS works we just have to do the regular stuff we find online.

set the HTTPS listener on the WEC server, generate certificates, set the string on the source for target subscription manager ...

the problem for me was while i was enabling HTTPS i was also trying to set cert authentication. which was not mandatory for me.

i just wanted the logs to be encrypted while they was send trough the network

the fix was changing the target subscription manager from :

Server=https:// fqdnofcollector:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=thumbprint of the CA certificate

to Server=https:// fqdnofcollector:5986/wsman/SubscriptionManager/WEC,Refresh=60

my guess is that the cert auth would not be tried after that, and maybe that kerberos is used instead.

but now logs are getting pushed through HTTPS.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.