Log Collection and NTLMSSP

Overview 

  • Enabling NTLMSSP on Windows Servers requires to uncomment the following line: event.readers.usentlmssp=true in the agentless.prop file of Windows Retriever as indicated below:
    # MISCELLANEOUS OPTION SETTINGS 
    >#------------------------------------------ 
    # Windows2008r2 requires the use of NTLMSSP, to enable ntlmssp support uncomment the following line 
    #------------------------------------------ 
    #event.readers.usentlmssp=true
    #event.readers.usentlmssp=true
  • This article answers the query: Will removing the comment indicated above have an impact on log collection from NTLM V1 or NTLM V2 Windows Servers?

  • Note: NTLMSSP (NT LAN Manager (NTLM) Security Support Provider) is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options.

Environment

Sensage AP all versions

Requirement

Access to Sensage AP Cluster Environment

Information 

  • Uncommenting the event.readers.usentlmssp=true on Windows Retriever agentless.prop file setting allows NTLMSSP authentication in addition to the standard ones.
  • Regular NTLMv1 and NTLMv2 authentication will not be affected by enabling this option, so it is safe to enable it on all servers.
  • Important Note: If you are unsure about securely performing the steps mentioned in this article, always make a backup before making any changes or reach out to support for more help.


Confirmation

Follow these steps to confirm: 

  1. Uncomment event.readers.usentlmssp=true in the file agentless.prop.
  2. Restart Log Collector.
  3. Validate all old, and new Windows Retrievers are working as expected.

Comments

0 comments

Please sign in to leave a comment.