Documentation forSolarWinds Platform

Configure Kerberos for WMI authentication in the SolarWinds Platform

Starting with SolarWinds Platform 2022.4, you can use Kerberos protocol for WMI authentication with the following exceptions.

  • In 2022.4, Kerberos protocol is supported in the SolarWinds Platform except for polling from SAM and VMAN.
  • In 2023.1, Kerberos support was extended to include SAM polling. VMAN Hyper-V polling remains unsupported.

Configuration

Configure Kerberos on the domain

Step 1: Disable NTLM and configure SPN

Manually

  1. Disable NTLM in the domain.

    Open the Group Policies Editor, go to Security Options (Computer Configuration > Policies > Windows Settings > Security Settings > Security Options), and make sure the following policies are set to Deny all.

    • Network security: Restrict NTLM: Incoming NTLM traffic
    • Network security: Restrict NTLM: NTLM authentication in this domain
    • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

  2. Configure SPN using a CMD command.

    Open the Command prompt and run the following command. Replace <hostname> with the hostname of the current server.

    setspn -Q */<hostname>

Using a script

Run the following PowerShell script on every machine in the domain to accomplish both restricting NTLM and setting SPN in one step.

# Restricting NTLM traffic on the machine
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictReceivingNTLMTraffic" -Value 2
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 2
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name "RestrictNTLMInDomain" -Value 7
# Getting hostname of divice and configuring SPN
$computerName = $env:computername
setspn -Q */$computerName

Step 2: Configure the DNS server in the Domain Controller

The Forward Lookup Zones and Reverse Lookup Zones should be configured to make Kerberos work.

Step 3: Configure trust settings between different Active Directory forests

If any nodes are in domains in different AD forests, you need to configure trust between these forests to be able to poll theses nodes.

  1. Configure Conditional Forwarders on each AD domain controller at first.

    1. Go to Server Manager > Tools > DNS.

    2. In DNS Manager, go to the Conditional Forwarder menu and select New Conditional Forwarder.

    3. In New Conditional Forwarder menu, enter DNS Domain and IP Address of the Domain Controller which is in another forest.

    4. Perform steps a-c on the other Domain Controller.

  2. Configure trust between AD domains.

    1. Go to Server Manager > Tools > Active Directory Domains and Trusts.

    2. Select domain and go to Properties.

    3. In Properties menu go to Trusts tab and click New Trust.

    4. Enter domain name and click Next.

    5. Select Forest trust and click Next.

    6. Select Two-way and click Next.

    7. Select Both this domain and the specified domain and click Next.

    8. Enter user name and password for the specified domain and click Next.

    9. Select Forest-wide authentication and click Next

    10. Review the trust settings and Click Next.

    11. Review the Trust Creation Complete screen and Click Next.

    12. Select Yes, confirm the outgoing trust and click Next.

    13. Select Yes, confirm the incoming trust and click Next.

    14. Click Finish.

Now you should see added trusts on both Domain Controllers.

Configure the SolarWinds Platform to use Kerberos

To use Kerberos, the following requirements must be met:

  • DNS: Both Reverse and Forward lookup zones must be configured.
  • SPN must be registered.
  • Credentials must be in the correct form.

Step 1: Configure polling settings

  1. In SolarWinds Platform Web Console, click Settings > All Settings, and then click Polling Settings.

  2. In the Authentication section, select the WMI Authentication Mode to be applied.

    Kerberos strict

    This mode is forcing the use of Kerberos. SolarWinds Platform will always try to resolve the IP address and hostname and find the FQDN.

    If the SolarWinds Platform fails to create a connection using the Kerberos authentication protocol a connection error will be logged and you can see it in the SolarWinds Platform Web Console.

    Kerberos preferred

    This mode tries to connect using Kerberos first. If the SolarWinds Platform fails to create a connection using the Kerberos authentication protocol, a connection error will be logged and SolarWinds Platform will try to connect using NTLM and IP address.

    Default

    This mode uses NTLM.

  3. Submit the changes. The new setting will be applied within a few minutes.

Step 2: Configure Cortex

  1. Open the File Explorer and go to the Orion Installation Folder.

  2. Open the SolarWinds.Cortex.appsettings.json file.

    Default location: C:\Program Files\SolarWinds\Orion\SolarWinds.Cortex.appsettings.json

  3. In the file, find the WmiConfig section and modify the WmiAuthenticationMode property. Make sure the value corresponds with the required WMI authentication:

    • KerberosStrict
    • KerberosPreferred
    • Default

  4. Save the changes and Restart Cortex using the SolarWinds Platform Service Manager.

Step 3: Add WMI credentials in the correct format

To make Kerberos Authentication work, you have to use a domain level account. In addition, in SolarWinds Platform you have to enter credentials in strict form:

  • <FullDomainName>\<Username>

  • <Username>@<FullDomainName>

Verify that SolarWinds Platform is working with Kerberos

Verify WMI nodes data is polled and Real-Time polling is working correctly. The SNMP nodes are not affected by the changes.

Verify that the connection is working for SolarWinds Platform

  1. In the SolarWinds Platform Web Console, click Settings > Manage Nodes, and select a WMI-polled node.

  2. Click Edit Properties and scroll down to the Polling Method section.

  3. Click Test to test the credentials. The test should be successful.

Verify connection is working for Cortex

  1. In the SolarWinds Platform Web Console, click Settings > Manage Nodes, and click a WMI-polled node.

  2. On the Node Details view, click Performance Analyzer in the Management widget.

  3. Make sure that Historical Data is presented.

  4. Make sure that Real-Time polling works.

Troubleshooting

Cannot resolve IP address to FQDN in logs

Kerberos requires providing FQDN to establish a connection between two machines. To address this issue, add all machines including the domain controller to Forward/Reverse lookup zones on the DNS server.

The RPC server is unavailable

This is a generic error that might indicate the following issues.

Incorrect credentials

  • Make sure you specified credentials in the correct format.
  • Make sure the password is correct.
  • Check the permissions for your Windows user.

WMI Service is turned off on the target machine

Invalid namespace error

Verify that the namespace exists on the target machine using the WBEMTEST application in Windows.

  1. On the target machine, enter WBEMTEST on start menu.
  2. Now on the Windows Management Instrumentation Tester window, click Connect...
  3. Enter the namespace to the Namespace section and click Connect.
  4. If the name doesn't exist, an Invalid namespace error will open.

A missing namespace indicates that some components/applications like IIS/SQL/DNS/DHCP were not installed properly. Fix the installation of components.

Cannot pass the credentials test for the remote agent deployment

Use hostname instead of the IP Address. Kerberos is forcing the usage of hostname instead of the IP address. Not being able to resolve an IP address to the hostname indicates an incorrect configuration of your DNS server.

Cannot deploy the agent or WPM Player using the remote installer

The agent/WPM Player deployment never ends or you see errors during the deployment.

  • The remote installer uses port 4091, make sure the port is open.
  • Use the hostname instead of IP address.
  • Deploy the agent/WPM Player on the target machine manually and then add it using the SolarWinds Platform Web Console.

Real time polling/Cortex metrics don't work on WMI nodes

When you click Start RealTime Polling, no data is showing or historical data is missing for some metrics.

To resolve the issue, complete steps in Step 2: Configure Cortex and wait for Cortext to start using the updated settings values.

Adding an Exchange node to HCO with Kerberos authorization enabled results in a timeout

If adding an Exchange node takes too long or results in a timeout, use the following workarounds.

Add Node wizard

Do not use WMI to poll the Exchange node. In the Add Node wizard, select an alternative polling method.

See Add a single node for monitoring to the SolarWinds Platform.

Network Discovery

Avoid discovering Exchange 2016 nodes via WMI. Before you start a discovery, add Exchange nodes manually using ICMP or SolarWinds Platform Agent polling. See Discover your network for the SolarWinds Platform with the Discovery Wizard.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.