What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

lsass making Kerberos requests to KDC on every sensor query?

Votes:

0

In our deployment of PRTG (13.3.5.2871 x64 on Windows Server 2012 R2), we use an AD-authenticated user to query WMI sensors. This causes pretty high lsass.exe CPU usage on the probe machines, but more concerning is that it generates several thousand requests/sec to our domain controller. Watching a netmon/message analyzer trace, there is a pattern that happens on every sensor query:

KRB_AS_REQ [with PA-PAC-REQUEST] KRB_ERROR, KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required KRB_AS_REQ [with PA-ENC-TIMESTAMP, PA-PAC-REQUEST] KRB_AS_REP, Ticket {Realm: <domain>, Sname: krbtgt/<domain>} KRB_TGS_REQ KRB_TGS_REP

Is there a reason why a ticket request is made every time? Can the kerb ticket be cached and reused?

active-directory kerberos wmi

Created on Feb 4, 2014 5:14:20 AM



3 Replies

Votes:

0

You can enable the “Do not require Kerberos preauthentication" option for that user account in AD Users & Computers -> properties -> account

Also, if the servers are 2003 DCs then you may also want to check out this option:

http://social.technet.microsoft.com/Forums/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity

Created on Feb 4, 2014 2:15:10 PM by Greg Campion [Paessler Support]



Votes:

0

Thanks! I appreciate the reply. I will give that a try and see if it reduces lsass CPU usage and requests to the DC.

In addition though, is it possible to configure PRTG to cache the tickets (one per server SPN, perhaps) and reuse them instead of making a request to the KDC on each query?

Created on Feb 4, 2014 2:46:05 PM



Votes:

0

Unfortunately this is under the hood of the WMI process that PRTG uses and isn't something that we can directly affect. Hopefully disabling the Pre-auth will be enough to stop the process from using so much CPU resources.

Created on Feb 4, 2014 4:47:27 PM by Greg Campion [Paessler Support]

Last change on Feb 4, 2014 4:47:39 PM by Greg Campion [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.