Configure Kerberos for WMI authentication in the SolarWinds Platform
Starting with SolarWinds Platform 2022.4, you can use Kerberos protocol for WMI authentication with the following exceptions.
- In 2022.4, Kerberos protocol is supported in the SolarWinds Platform except for polling from SAM and VMAN.
- In 2023.1, Kerberos support was extended to include SAM polling. VMAN Hyper-V polling remains unsupported.
- Configure Kerberos on the domain
- Configure the SolarWinds Platform to use Kerberos
- Verify that SolarWinds Platform is working with Kerberos
Configure Kerberos on the domain
- Step 1: Disable NTLM and configure SPN
- Step 2: Configure the DNS server in the Domain Controller
- Step 3: Configure trust settings between different Active Directory forests
Step 1: Disable NTLM and configure SPN
Disable NTLM in the domain.
Open the Group Policies Editor, go to Security Options (Computer Configuration > Policies > Windows Settings > Security Settings > Security Options), and make sure the following policies are set to Deny all.
- Network security: Restrict NTLM: Incoming NTLM traffic
- Network security: Restrict NTLM: NTLM authentication in this domain
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Configure SPN using a CMD command.
Open the Command prompt and run the following command. Replace
<hostname>with the hostname of the current server.
setspn -Q */<hostname>
Using a script
Run the following PowerShell script on every machine in the domain to accomplish both restricting NTLM and setting SPN in one step.
# Restricting NTLM traffic on the machine Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictReceivingNTLMTraffic" -Value 2 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 2 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name "RestrictNTLMInDomain" -Value 7 # Getting hostname of divice and configuring SPN $computerName = $env:computername setspn -Q */$computerName
# Restricting NTLM traffic on the machine
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictReceivingNTLMTraffic" -Value 2
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 2
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name "RestrictNTLMInDomain" -Value 7
# Getting hostname of divice and configuring SPN
$computerName = $env:computername
setspn -Q */$computerName
Step 2: Configure the DNS server in the Domain Controller
The Forward Lookup Zones and Reverse Lookup Zones should be configured to make Kerberos work.
Step 3: Configure trust settings between different Active Directory forests
If any nodes are in domains in different AD forests, you need to configure trust between these forests to be able to poll theses nodes.
Configure Conditional Forwarders on each AD domain controller at first.
Go to Server Manager > Tools > DNS.
In DNS Manager, go to the Conditional Forwarder menu and select New Conditional Forwarder.
In New Conditional Forwarder menu, enter DNS Domain and IP Address of the Domain Controller which is in another forest.
Perform steps a-c on the other Domain Controller.
Configure trust between AD domains.
Go to Server Manager > Tools > Active Directory Domains and Trusts.
Select domain and go to Properties.
In Properties menu go to Trusts tab and click New Trust.
Enter domain name and click Next.
Select Forest trust and click Next.
Select Two-way and click Next.
Select Both this domain and the specified domain and click Next.
Enter user name and password for the specified domain and click Next.
Select Forest-wide authentication and click Next
Review the trust settings and Click Next.
Review the Trust Creation Complete screen and Click Next.
Select Yes, confirm the outgoing trust and click Next.
Select Yes, confirm the incoming trust and click Next.
Now you should see added trusts on both Domain Controllers.
Configure the SolarWinds Platform to use Kerberos
To use Kerberos, the following requirements must be met:
- DNS: Both Reverse and Forward lookup zones must be configured.
- SPN must be registered.
- Credentials must be in the correct form.
Step 1: Configure polling settings
In SolarWinds Platform Web Console, click Settings > All Settings, and then click Polling Settings.
In the Authentication section, select the WMI Authentication Mode to be applied.
This mode is forcing the use of Kerberos. SolarWinds Platform will always try to resolve the IP address and hostname and find the FQDN.
If the SolarWinds Platform fails to create a connection using the Kerberos authentication protocol a connection error will be logged and you can see it in the SolarWinds Platform Web Console.
This mode tries to connect using Kerberos first. If the SolarWinds Platform fails to create a connection using the Kerberos authentication protocol, a connection error will be logged and SolarWinds Platform will try to connect using NTLM and IP address.
This mode uses NTLM.
Submit the changes. The new setting will be applied within a few minutes.
Step 2: Configure Cortex
Open the File Explorer and go to the Orion Installation Folder.
In the file, find the
WmiConfigsection and modify the
WmiAuthenticationModeproperty. Make sure the value corresponds with the required WMI authentication:
Save the changes and Restart Cortex using the SolarWinds Platform Service Manager.
Step 3: Add WMI credentials in the correct format
To make Kerberos Authentication work, you have to use a domain level account. In addition, in SolarWinds Platform you have to enter credentials in strict form:
Verify that SolarWinds Platform is working with Kerberos
Verify WMI nodes data are polled and Real-Time polling is working correctly. The SNMP nodes are not affected by the changes.
Verify that the connection is working for SolarWinds Platform
In the SolarWinds Platform Web Console, click Settings > Manage Nodes, and select a WMI-polled node.
Click Edit Properties and scroll down to the Polling Method section.
Click Test to test the credentials. The test should be successful.
Verify connection is working for Cortex
In the SolarWinds Platform Web Console, click Settings > Manage Nodes, and click a WMI-polled node.
On the Node Details view, click Performance Analyzer in the Management widget.
Make sure that Historical Data are presented.
Make sure that Real-Time polling works.
- Cannot resolve IP address to FQDN in logs
- The RPC server is unavailable
- Cannot pass the credentials test for the remote agent deployment
- Cannot deploy the agent or WPM Player using the remote installer
- Real time polling/Cortex metrics don't work on WMI nodes
- Adding an Exchange node to HCO with Kerberos authorization enabled results in a timeout
Cannot resolve IP address to FQDN in logs
Kerberos requires providing FQDN to establish a connection between two machines. To address this issue, add all machines including the domain controller to Forward/Reverse lookup zones on the DNS server.
The RPC server is unavailable
This is a generic error that might indicate the following issues.
- Make sure you specified credentials in the correct format.
- Make sure the password is correct.
- Check the permissions for your Windows user.
WMI Service is turned off on the target machine
- See RPC Quick Fixes in Windows Server Troubleshooting: RPC server is unavailable (© 2022 Microsoft, available at https://msdn.microsoft.com, obtained on November 14, 2022.)
- Make sure the Winmgmt service is running. In the Windows Task Manager, go to Services and search for WinMgmt.
Invalid namespace error
Verify that the namespace exists on the target machine using the WBEMTEST application in Windows.
- On the target machine, enter WBEMTEST on start menu.
- Now on the Windows Management Instrumentation Tester window, click Connect...
- Enter the namespace to the Namespace section and click Connect.
- If the name doesn't exist, an Invalid namespace error will open.
A missing namespace indicates that some components/applications like IIS/SQL/DNS/DHCP were not installed properly. Fix the installation of components.
Cannot pass the credentials test for the remote agent deployment
Use hostname instead of the IP Address. Kerberos is forcing the usage of hostname instead of the IP address. Not being able to resolve an IP address to the hostname indicates an incorrect configuration of your DNS server.
Cannot deploy the agent or WPM Player using the remote installer
The agent/WPM Player deployment never ends or you see errors during the deployment.
- The remote installer uses port 4091, make sure the port is open.
- Use the hostname instead of IP address.
- Deploy the agent/WPM Player on the target machine manually and then add it using the SolarWinds Platform Web Console.
Real time polling/Cortex metrics don't work on WMI nodes
When you click Start RealTime Polling, no data is showing or historical data are missing for some metrics.
To resolve the issue, complete steps in Step 2: Configure Cortex and wait for Cortext to start using the updated settings values.
Adding an Exchange node to HCO with Kerberos authorization enabled results in a timeout
If adding an Exchange node takes too long or results in a timeout, use the following workarounds.
Add Node wizard
Do not use WMI to poll the Exchange node. In the Add Node wizard, select an alternative polling method.
- Select ICMP as the polling method and assign the Exchange AppInsight manually. See Configure AppInsight for Exchange on nodes.
- Use SolarWinds Platform Agent polling.
See Add a single node for monitoring to the SolarWinds Platform.
Avoid discovering Exchange 2016 nodes via WMI. Before you start a discovery, add Exchange nodes manually using ICMP or SolarWinds Platform Agent polling. See Discover your network for the SolarWinds Platform with the Discovery Wizard.
The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.