Description
This article describes that when selecting 'Show logon Users' in the Collector Agent, some users may have status set as 'Not Verified'.
This article explains the meaning of this message and provides some common causes.
Scope
FSSO Collector Agent
Solution
While the Collector Agent receives login events for users from the DC agents, Windows does not generate log out events.
As such, the collector agent needs to verify that the user is still logged in by remote registry checking or WMI (default). The collectoragent.exe (FSSO) sends traffic to the user’s IP address on ports 139, 445, and 389 to verify if the workstation is online.
- WMI (default method) By default, all currently supported versions of FSSO Collector Agent use WMI (Windows Management Instrumentation) to verify whether a user is still logged in on remote workstations.If the collector agent cannot connect for any reason, the host status is set to "Not Verified" and a log entry will be added to the collector agent logs. In such case the user will be automatically removed from FSSO user list after Dead entry timeout interval is reached.There are a few things that can cause the collector agent not to be able to connect to the user's work station. The following are the most common causes:
Windows firewall on the user's workstation prevents remote access on ports 135 or 445.
- Try enabling WMI connections on the host firewall:
- A network firewall is blocking ports 445 or 135 between the collector agent and the user's workstation.
- The user account used to start the FSSO Collector Agent service does not have sufficient permissions to execute WMI queries on the user’s workstation.
- User’s workstation returns an RPC error when WMI query is performed.
This is typically due to some issue with the workstation (insufficient RAM, RPC or Winmgmt services are stopped, etc.)
Example of correct WMI operation:
To check if WMI is working as desired from server where FSSO Collector Agent is installed, start command prompt under the domain account which is used to run FSSO Collector Agent service and execute the below command.
It should return the username of the use currently logged on the remote workstation:
#wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> COMPUTERSYSTEM GET USERNAME
Example:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena
It' possible to remotely validate all IP addresses assigned to the remote workstation using the below command:
#wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> NICCONFIG GET IPADDRESS,SERVICENAME
Example:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 NICCONFIG GET IPADDRESS,SERVICENAME
IPAddress ServiceName
kdnic
{"10.212.0.100"} netkvm
{"169.254.90.227", "fe80::15db:2dee:7774:5ae3"} netkvm
{"169.254.237.196", "fe80::9587:3361:5c30:edc4"} netkvm
{"169.254.50.184", "fe80::104d:8984:167b:32b8"} netkvm
Examples of common issues:
- Access Denied: If error message 'Access is denied.' shows up, it means that there is no permissions to perform WMI queries on the remote workstation.
To resolve the problem, ensure the username is a member of 'Administrators' group on the remote workstation.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena
C:\Users\admin>
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
Node - 10.212.0.100
ERROR:
Description = Access is denied.
- Server execution failed:
If the WMI query execution is slow and ends with error 'Server execution failed', it is likely that WMI service on the remote workstation is not running.
To resolve the problem, ensure that 'Windows Management Instrumentation' service is in running state on the remote workstation. Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
Node - 10.212.0.100
ERROR:
Description = Server execution failed
- RPC Server unavailable: If error message 'The RPC server is unavailable.' shows up, it means a network connectivity problem or problem with the workstation.
To resolve the issue, please ensure that:
- The FSSO Collector Agent has reach ability to the remote workstation.
- Windows Firewall on user workstation is configured to allow WMI connections or Windows Firewall is completely disabled.
- The internal segmentation firewall allows TCP connections to the remote workstation on port 135 and 445.
- Ensure that the workstation is capable of sending WMI queries to itself. To test the functionality, execute 'WMIC COMPUTERSYSTEM GET USERNAME' on the affected workstation while logged in as administrator.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
Node - 10.212.0.100
ERROR:
Description = The RPC server is unavailable.
- Remote Registry (old method): On all currently supported versions of FSSO Collector Agent, this method will be used only when WMI workstation check is disabled under Collector Agent -> Advanced Settings -> General tab -> Workstation Check
If the collector agent cannot connect to the host on ports 139 and 445 to perform this check, the host status is set to 'Not Verified' and a log entry will be added to the collector agent logs.
name_ip_match: failed to connect to workstation
or
wksta_check: failed to connect to workstation:
There are a few things that can cause the collector agent not to be able to connect to the user's work station. The following are the most common causes:
- Most commonly, a host firewall on the user's workstation prevents remote access on ports 139 and/or 445. Try opening the ports on the host firewall or disabling it all together.
- A network firewall is blocking ports 139 and 445 between the collector agent and the user's workstation.
- If the remote registry service is not running on the user's workstation the collector agent will not be able to connect to the registry remotely. Make sure the remote registry service is running.
- It also may be caused by MS upgrade issue. http://support.microsoft.com/kb/892192. Using 'Regedit', edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers, set permissions for winreg and allow Local Service with R and W.
On getting the following error on collector agent logs:
wksta_check: workstation has no valid ip address
-
This check was performed using the Remote Registry Service, not WMI ( this could be because workstation verify interval is disabled on Collector Agent)
-
It seems the windows machine can use the Remote Registry, it is unable to perform WMI-based checks.
-
Verify the WMI and OS versions, or consider disabling WMI on the Collector.
-
If using polling mode, switch from WinSecWMI to WinSec.
-
Go to Advanced Settings -> General -> Workstation Check, and uncheck the option 'Use WMI to check user logoff'.
-
Related articles:
