Prerequisites to Installing the Passive Identity Agent

The following task shows how to configure Windows Group Policy Object (GPO) security settings to enable the passive identity agent to log successful and unsuccessful Kerberos authentication attempts. This setting is required for the passive identity agent to function properly.

For more information, see Audit Policy Recommendations on learn.microsoft.com.

Before you begin

Make sure your systems meet the following requirements:

  • If you install it on a Windows Active Directory server, the server must run Windows Server 2008 or later.

  • If you install it on a Windows client attached to the domain, the client must run Windows 8 or later.

  • The system clock on all systems must be synchronized. We strongly recommend using the same NTP servers on all of them. This means:

    • The Security Cloud Control.

      For more information, see Configure NTP Server.

    • All Windows Active Directory servers and domain controllers.

    • The machine on which the passive identity agent is installed.

  • Security Cloud Control must run November 8, 2024 or later.

  • You must enable Snort 3 on the Secure Firewall Threat Defense devices.

Procedure

Step 1

Log in to the Active Directory Server as an administrator.

Step 2

As Administrator, open a DOS command prompt.

Step 3

Enter gpmc.msc to start the Group Policy Management Editor.

Step 4

If necessary, create a new GPO; if one already exists, edit it.

For more information about creating a GPO, see a resource like Create a Group Policy Object on learn.microsoft.com.

Step 5

In your GPO, expand Computer Configuration > Windows Settings > Security Settings > Advanced Policy Configuration > Audit Policies.

Step 6

Click Account Logon.

Step 7

In the right pane, double-click Audit Kerberos Authentication Service.

Step 8

In the dialog box that is displayed, select all checkboxes which enables the system to log successes and failures.

The following figure shows an example.

Step 9

Follow the prompts on your screen to save the changes.

Step 10

(Optional.) To update GPO immediately, enter gpupdate /force in your DOS command prompt window.

What to do next

See Install the Passive Identity Agent Software.