none
IPAM could not collect login event from Windows Server 2016 NPSs RRS feed

  • Question

  • Hi,

    We have one IPAM server ( installed on Windows server 2016 ) in my Network. We have 4 NPS servers. two of them are Windows server 2012R2 and other two are Windows Server 2016. IPAM server could collect login event from Windows Server 2012R2 NPS, but could not collect from Windows server 2016. As you know, windows server 2016 NPS does not support Network access protection so there is no event 6278 in Microsoft Windows security auditing. I wonder IPAM is looking for event 6278.

    I want to know which event ID was checked from IPAM. Somebody could give me this information. I think the event ID that is checked in Windows Server 2016 is no longer available.

    Any idea

    Thank in advance

    Emin
    • Edited by Darth Vader Saturday, October 6, 2018 7:42 AM
    Friday, October 5, 2018 11:45 AM

All replies

  • I am sorry for my English first.

    Finally, I realized why the IPAM server could not read the event logs from Windows server 2016 NPS.

    First I had to find out how the IPAM server obtained the event logs and how it handled the data. For this, I decompiled the IpamServer.dll library and found that the CollectIPAuditInfo function in the ServerRoleNPS class is responsible to read and processed event logs from NPS servers. In this function, there is a line of statements in which the parameter 13 of the event id 6272 is tested. In this line, the 13th parameter is tested with the ”Wireless - IEEE 802.11“ string. If the result of this parameter is not equal to this string, IPAM function does not consider the event as a ”Wireless 802.11” type record.

    I wrote a similar log collection software to see which value comes with Parameter 13. I have run software against Windows server 2012R2 and Windows server 2016 NPS server.

    My results are as follows:

    1. In fact, the event logs of windows Server 2016 NPS is successfully collected by IPAM. But IPAM misjudge and throws it in the trash.

    2. The 13th parameter from the Windows server 2012R2 server is named “NAS Port-Type” and its value is “Wireless - IEEE 802.11” . The value is as IPAM function expects. However, the 13th parameter from the Windows server 2016 server event record is named “NAS Port” and its value is a number. This is why IPAM function does not consider this event record as valid “Wireless – IEEE 802.11” record.

    3. When we look at the records from the Windows server 2016 server, we see that “NAS Port-Type” is in parameter 12. The reason for this is that the OS-Version parameter, which is present in the windows server 2012R2 event records, is not included in the windows server 2016 event log record.

    4. Also in our network, NPS servers are used for both wireless and wired devices. In Wired devices, the “NAS Port-Type” event value in the event records is “Ethernet” not “Wireless – IEEE 802.112”. Therefore, the IPAM does not consider it as valid record. Because IPAM function only checks the “Wireless - IEEE 802.11” string in “NAS Port-Type” parameter.

    As a result, if I am not mistaken, there is both a functional and a logic error in the IPAM software. IPAM software should be tested on Windows server 2016 NPS and errors should be corrected. It should also be noted that the NPS service is used for both wired and wireless purposes. The IPAM software should support other uses of NPS.

    Thanks

    Emin

    code block that is responsible for NPS events log

    public void CollectIPAuditInfo()
            {
                string serverFullyQualifiedName = base.ParentServer.GetServerFullyQualifiedName();
                ServerRoleEN serverRoleFlag = base.ServerRoleFlag;
                IpamEventProvider.EventWritePerfCollectIPAuditInfoApiStart(serverFullyQualifiedName, serverRoleFlag.ToString());
                EventBookmark bookmark = null;
                EventBookmark eventBookmark = null;
                List<IPAuditRecord> pAuditRecords = new List<IPAuditRecord>();
                IpamEventProvider.EventWriteDataCollectionStartIPAudit(CommonUtilities.GetStringFromApiCultureResources("EventType_Authentication"), CommonUtilities.GetStringFromApiCultureResources("ServerType_NPS"), base.ParentServer.GetServerFullyQualifiedName());
                IpamTracing.TraceInformation(string.Concat("ServerRoleNPS-CollectIPAuditInfo initated on Server ", base.ParentServer.GetServerFullyQualifiedName()));
                try
                {
                    EventLogSession eventLogSession = new EventLogSession(base.ParentServer.GetServerFullyQualifiedName());
                    EventLogQuery eventLogQuery = new EventLogQuery("Security", PathType.LogName, "*[System/EventID='6272'and System/Provider[@Name='Microsoft-Windows-Security-Auditing']]")
                    {
                        Session = eventLogSession
                    };
                    base.GetEvtBookmarkFromDatabase(BookmarkType.IPAudit, ref bookmark, ref eventBookmark);
                    EventLogReader eventLogReader = new EventLogReader(eventLogQuery, eventBookmark);
                    EventRecord eventRecord = eventLogReader.ReadEvent();
                    if (bookmark != null)
                    {
                        if (eventRecord == null)
                        {
                            IpamEventProvider.EventWriteAuditBookmarkMissingIPAudit(CommonUtilities.GetStringFromApiCultureResources("EventType_Authentication"), CommonUtilities.GetStringFromApiCultureResources("ServerType_NPS"), base.ParentServer.GetServerFullyQualifiedName());
                        }
                        else if (!Audit.CompareEvtBookmarkEquality(eventRecord.Bookmark, bookmark))
                        {
                            IpamEventProvider.EventWriteAuditBookmarkMissingIPAudit(CommonUtilities.GetStringFromApiCultureResources("EventType_Authentication"), CommonUtilities.GetStringFromApiCultureResources("ServerType_NPS"), base.ParentServer.GetServerFullyQualifiedName());
                        }
                        else
                        {
                            eventRecord = eventLogReader.ReadEvent();
                        }
                    }
                    while (eventRecord != null)
                    {
                        try
                        {
                            try
                            {
                                string str = eventRecord.Properties[1].Value.ToString().Trim();
                                string str1 = eventRecord.Properties[2].Value.ToString().Trim();
                                string str2 = eventRecord.Properties[9].Value.ToString().Trim();
                                string str3 = eventRecord.Properties[13].Value.ToString().Trim();
                                if (string.Compare(str, "-", StringComparison.OrdinalIgnoreCase) == 0)
                                {
                                    eventBookmark = bookmark;
                                    bookmark = eventRecord.Bookmark;
                                    eventRecord = eventLogReader.ReadEvent();
                                    IpamEventProvider.EventWriteDebugInfoEvent("Ignoring NPS event, as there is no user name field");
                                    continue;
                                }
                                else if (string.Compare(str3, "Wireless - IEEE 802.11", StringComparison.OrdinalIgnoreCase) == 0)
                                {
                                    IPAuditRecord pAuditRecord = new IPAuditRecord()
                                    {
                                        EventType = IPAuditEventType.NPSAuthentication,
                                        ClientId = str2.Replace(".", string.Empty),
                                        SourceServerName = base.ParentServer.GetServerFullyQualifiedName(),
                                        ServerType = ServerAuditType.Nps
                                    };
                                    TimeZone currentTimeZone = TimeZone.CurrentTimeZone;
                                    DateTime? timeCreated = eventRecord.TimeCreated;
                                    pAuditRecord.TimeOfEvent = new DateTime?(currentTimeZone.ToUniversalTime(timeCreated.GetValueOrDefault()));
                                    int num = 0;
                                    int num1 = str.IndexOf('@');
                                    num = num1;
                                    if (num1 != -1)
                                    {
                                        pAuditRecord.UserName = str.Substring(0, num);
                                        pAuditRecord.DomainName = str.Substring(num + 1);
                                        pAuditRecord.ForestName = DomainForestMapCache.GetForestNameForUserAlias(str, pAuditRecord.DomainName);
                                    }
                                    else
                                    {
                                        pAuditRecord.UserName = str;
                                        pAuditRecord.DomainName = str1;
                                        pAuditRecord.ForestName = DomainForestMapCache.GetForestNameForUserDomainFQDN(str1);
                                    }
                                    pAuditRecords.Add(pAuditRecord);
                                    eventBookmark = bookmark;
                                    bookmark = eventRecord.Bookmark;
                                    if (pAuditRecords.Count >= 250)
                                    {
                                        string bookmarkFromEventLogInfo = Audit.GetBookmarkFromEventLogInfo(bookmark, eventBookmark);
                                        IPAuditRecord.AddIPAuditRecordsAndUpdateBookmark(pAuditRecords, this, BookmarkType.IPAudit, bookmarkFromEventLogInfo);
                                        pAuditRecords.Clear();
                                    }
                                }
                                else
                                {
                                    eventBookmark = bookmark;
                                    bookmark = eventRecord.Bookmark;
                                    eventRecord = eventLogReader.ReadEvent();
                                    IpamEventProvider.EventWriteDebugInfoEvent("Ignoring NPS event, as it is not a 802.11 authentication");
                                    continue;
                                }
                            }
                            catch (Exception exception1)
                            {
                                Exception exception = exception1;
                                IpamTracing.TraceError("Error occurred while adding IP Audit Records {0}", new object[] { exception.ToString() });
                            }
                        }
                        finally
                        {
                            eventRecord = eventLogReader.ReadEvent();
                        }
                    }
                    string bookmarkFromEventLogInfo1 = Audit.GetBookmarkFromEventLogInfo(bookmark, eventBookmark);
                    IPAuditRecord.AddIPAuditRecordsAndUpdateBookmark(pAuditRecords, this, BookmarkType.IPAudit, bookmarkFromEventLogInfo1);
                    IpamEventProvider.EventWriteDataCollectionSuccessIPAudit(CommonUtilities.GetStringFromApiCultureResources("EventType_Authentication"), CommonUtilities.GetStringFromApiCultureResources("ServerType_NPS"), base.ParentServer.GetServerFullyQualifiedName());
                    string serverFullyQualifiedName1 = base.ParentServer.GetServerFullyQualifiedName();
                    serverRoleFlag = base.ServerRoleFlag;
                    IpamEventProvider.EventWritePerfCollectIPAuditInfoApiEnd(serverFullyQualifiedName1, serverRoleFlag.ToString());
                    IpamTracing.TraceInformation(string.Concat("ServerRoleNPS-CollectIPAuditInfo initated on Server ", base.ParentServer.GetServerFullyQualifiedName()));
                }
                catch (Exception exception3)
                {
                    Exception exception2 = exception3;
                    string serverFullyQualifiedName2 = base.ParentServer.GetServerFullyQualifiedName();
                    serverRoleFlag = base.ServerRoleFlag;
                    IpamEventProvider.EventWritePerfCollectIPAuditInfoApiEnd(serverFullyQualifiedName2, serverRoleFlag.ToString());
                    IpamEventProvider.EventWriteDataCollectionErrorIPAudit(CommonUtilities.GetStringFromApiCultureResources("EventType_Authentication"), CommonUtilities.GetStringFromApiCultureResources("ServerType_NPS"), base.ParentServer.GetServerFullyQualifiedName(), exception2.Message);
                    throw CommonUtilities.WrapOuterException(exception2, IpamExceptionId.IpamApiFailedToCollectNpsIPAuditInfo);
                }
            }

    Sunday, October 7, 2018 12:52 PM