locked
Getting lots of "Privilege escalation using forged authorization data" alerts RRS feed

  • Question

  • We recently updated our ATA installation to version 1.6 and we're getting a lot of "Privilege escalation using forged authorization data" alerts in the console.  We can see that the information is all for an application we use company wide called Projectwise and the software appears to be generating these even though everything is operating as expected.  Is there anyway we can mark a bunch of these as dismissed in bulk instead of having to go through each one?  Or has anyone tried to dig into these sorts of alerts with a software vendor to try and find out why the traffic is coming up suspicious?  We've got over 500 of them in 3 days, so it's getting a bit out of hand...
    Monday, May 16, 2016 2:57 PM

All replies

  • Hi Nfields80,

    We are aware of similar issue and we are investigating it. No news yet.

    Thanks,

      Microsoft ATA Team.

    Monday, May 16, 2016 8:58 PM
  • BTW, if you willing to help us in this investigation, please contact us at ATAEval (at Microsoft.com) as we may want to make sure we understand your specific scenario.
    Monday, May 16, 2016 9:24 PM
  • Has there been any news on this?
    Monday, August 29, 2016 11:58 AM
  • Hi,

    Those issues should be resolved in the upcoming ATA v1.7 (very soon)

    Thanks,

      Microsoft ATA team.

    Monday, August 29, 2016 1:01 PM
  • Thanks for the quick reply.
    Monday, August 29, 2016 6:54 PM
  • We upgraded to 1.7 last week and the issue still seems to be in play.  For us the issue seems to be a legit problem with Bentley Projectwise attempting to connect from clients to the PW server using Kerberos first, but then falling back to NTLM after a failed Kerberos negotiation.  The Bentley folks gave us some basic info on configuring Kerberos but it appears to be wrong as we're still falling back to NTLM (did a bunch of packet caps to confirm).  Hopefully we can get them to figure out the real solution soon and we can clear our console of over 4K alerts...
    Monday, September 12, 2016 9:11 PM
  • Hi, 

    could you please help me with this. 

    send me the configuration you got to try. 

    Thanks

    Wednesday, May 10, 2017 8:15 AM
  • We just started using ATA and have the same issue with Projectwise clients. Did you ever resolve this? 

    Sunday, June 11, 2017 11:57 AM
  • Hi Chris,

    There is still an outstanding issue with ATA and Projectwise that may cause Forged-Pac alerts. This issue going to be resolved in the upcoming v1.8 that scheduled to release very soon.

    (I am aware that this may sound similar to the above statement ;-) )

    Microsoft ATA Team.

    Sunday, June 11, 2017 12:08 PM
  • Hi,

    Just want to inform you that we are experienceing the same problems. Projectwize is overloading the ata center console. Waiting for 1.8, hopefully soon!

    /T-Bone


    Mr Tbone

    Friday, June 16, 2017 12:10 PM
  • Hi,

    Just to let you know that we're getting 'em also - but only about 1 a week or so.

    gc

    Friday, June 23, 2017 4:58 PM