IBM Support

QRadar: WinCollect fails to authenticate in a Windows 2012 domain environment, 0xc000006e status code reported

Troubleshooting


Problem

When using WinCollect, users might experience an issue with failed authentications when the even though the username and password are correct.

Symptom

Here is an example of the Audit Failure event you might see on the system where WinCollect is installed:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006e
Sub Status: 0xc000006e

Microsoft usually provides a Sub Status code that provides more detail on the reason for the failure, but in this case, you get the same 0xc000006e code for both Status and Sub Status.

Cause

Windows 2012 introduced the Protected User Security Group, which prohibits members from authenticating with NTLM. If you check the Audit Failure event on the Windows 2012 server, you see eventID 8422 with a better description:


NTLM authentication failed because the account was a member of the Protected User group.
Account Name: testuser
Device Name: Wincollect
Error Code: 0xC000006E

Resolving The Problem

Windows Server 2012 R2 includes a new security group for Protected Users that does not support NTLM authentication. If the WinCollect user in the Active Directory security group is assigned to the Protected User group, it can prevent the log source from being able to properly authenticate due to the account restrictions. As per Microsoft documentation, "Accounts for services and computers should never be members of the Protected Users group". To resolve this issue, your Windows administrator must update the security credentials for WinCollect log source user to another group.

NOTE: A good alternative for Protected Users is to add your WinCollect user to a member of the Event Log Readers or Backup Operators Active Directory group. As these groups typically have the required default permissions to poll for local or remote events on most Windows hosts.




To change a security group for a user in Windows 2012 R2
  1. Open the Active Directory Users and Computers tool.
  2. Expand the domain that contains the WinCollect user.
  3. Click Users.
  4. Open the Protected Users group.
  5. Click the Members tab.
  6. Select the WinCollect user account.
  7. Click Remove.

  8. Click OK.
  9. Select the Event Log Readers group.
  10. Click the Members tab.
  11. Click Add.
    NOTE: This action assigns the WinCollect user to the Event Log Readers group (preferred). Optionally the Backup Operators group will have sufficient permissions to poll for security events on most hosts.
  12. Click OK.
  13. Log in to QRadar and disable, then enable the WinCollect log source. Optionally, you can restart the WinCollect service on the Windows host to start polling for events when multiple log sources on an agent are experiencing permission issues.


Results
The WinCollect agent will attempt to poll for events. The administrator can confirm the events are being sent to QRadar fro, the WinCollect agent using the Log Activity tab. If you have questions about this technical note, see: https://ibm.biz/qradarforums.



Further Reading





Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22013201

Page Feedback