Tuesday, May 8, 2007

Auditing events on untrusted computers – Audit collection Services (ACS)

After having successfully deployed Operations Manager framework to our primary domain and a few untrusted computers in a workgroup, I ventured to enable ACS and begin collecting audit events. While the documented procedure works fine for those servers within the trusted domain (using Kerberos), the workgroup computers posed a bit of a challenge. Specifically, after enabling audit services on the workgroup computers, numerous security events 529 and 680 began appearing and the computers were refused connection to the collector.

Microsoft mentions in the ACS documentation that Kerberos is used by adtagent.exe to authenticate to the collector, by default, but offers no workaround for computers that are not joined to the domain. The document below steps one through the process of using certificate authentication with ACS. As you will see from the steps required this could be troublesome, from a management standpoint, when you have many untrusted agents forwarding events.

As time allows, I will publish a more through guide. This document, in the interim, should help those that are struggling with this issue. Feel free to contact me at jeff.skelton@gmail.com with any issues to validate that this procedure worked in your environment.




Audra said...

Great work.

Oliver Richardson said...

Good work fella! Worked like a charm and got me out of a fix