DC Security Logs with Advanced Auditing

Description

SSO not authenticating via DC Logs and the Group Policy Objects are set to use advanced auditing.

Cause

When using Advanced Auditing from Group Policy the settings configured in Policies -> Windows Settings -> Security Settings -> Audit Policy - no longer take effect

Resolution

The following Event IDs need to be configured if using Advanced Auditing:


4624 - Audit Logon (located in Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration > Audit Policies -> Logon/Logoff -> Audit Logon)

Image

4768 - Audit Kerberos Authentication Service (located in Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration > Audit Policies -> Account Logon -> Audit Kerberos Authentication Service)

Image

4769 & 4770 - Audit Kerberos Service Ticket Operations (located in Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration > Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations)

Image

4634 - Audit Logoff (located in Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration > Audit Policies -> Logon/Logoff -> Audit Logoff)

Image

4661 - Audit Kernel Object (located in Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration > Audit Policies -> Object Access -> Audit Kernel Object)

Image

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community