No Matches Found!
Try with a different search term
Hi all,
we're using SOTI MobiControl (On-Premise) and saw in some warnings in our Microsoft Defender for Identity Portal.
SOTI MC is doing Kerberos requests against our Domain Controllers using the Device IDs of our Zebra devices:
This is happening every 2 hours when the device agent does a check in.
Is this an configuration issue or a normal behavior? Is there anything we can do in order to stop this?
Best regards,
Patrick
Hi Patrick,
Thanks for requesting a response from SOTI Support Staff,
When you are not actively managing your devices, it is still important that you can continue to gather information about them and their activities. SOTI MobiControl provides a glut of passive and active monitoring options for your devices.
Windows Defender Advanced Threat Protection (ATP) improves upon security features already present in Windows 10. It provides administrators with features designed to investigate and respond to attacks on their networks. You can integrate Windows Defender ATP with SOTI MobiControl to track attacks on your devices and take the appropriate actions. See Microsoft's documentation on Windows Defender ATP for specific details about its capabilities.
The link that provides information on how to remove windows defender ATP Tracking from Your Devices is here
Hi,
have a look here, it solved the issue on our DS server. I think a reboot was necessary.
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Hi Thomas,
no more alerts so far after creating the registry key and restarting the server. Thanks a lot!
Hi SOTI Support Staff,
I think you missunderstood my request.
I was not asking about implementing or deploying Microsoft Defender.
We are using Microsoft Defender for Identity and alerts are being raised for the SOTI service user running the SOTI MC services due to suspicious kerberos activity.
Every time a device checks it's trying to do some kerberos authentication against our DCs using the device id of the device checking in. In the Event Viewer Security Log an Audit Failure is being logged:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: <SOTI MC SERVER>$
Account Domain: <OUR DOMAIN>
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x2e0
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: <SOTI MC Server>
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Hi Patrick,
Thanks for clarifying the issue. Thank you very much Thomas for providing the solution.
We tested the solution provided by Thomas on our test server and it resolved the issue. Patrick, Could you please let us know how does the provided solution work on your instance. If it resolves the issue, Could you please mark the post as resolved . It will help many customers who are looking for solution on similar issue.
