In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the Net Logon Vulnerable Schannel Connection Audit Reports profile provides insights into authentication activities, including denied and allowed connections from machine accounts and trust accounts, as well as client and trust authentication using RPC Sign and RC4 encryption. However, in some instances, users may find that no data is available under this profile. This issue typically arises due to misconfigurations in auditing settings, insufficient privileges, or event data processing failures in ADAudit Plus. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites  

Before troubleshooting, verify that the following prerequisites are met:

• All Domain Controllers are configured in ADAudit Plus.

• Required ports and firewall rules are enabled.

• The service account provided in ADAudit Plus is a member of the Event Log Readers group.

• The ADAudit Plus Agent is installed to receive logs in real time.

Possible causes  

• Not all Domain Controllers are configured in ADAudit Plus.

• Communication issues between the ADAudit Plus server and the target machine.

• The service account lacks required privileges.

• "Allow vulnerable Net-logon secure channel connections" Group Policy must be enabled on Domain Controllers.

• Non-security logs are collected every 3 hours in agentless mode.

• Files are stuck in Installation Directory/ADAudit Plus/eventdata/raw or processed folders.

Resolution  

Step 1: Verify Domain Controller configuration in ADAudit Plus  

1. Log in to ADAudit Plus.

2. Navigate to Domain Settings.

3. Ensure that all Domain Controllers in your environment are listed and configured.

Note: Security logs do not replicate across Domain Controllers. It is essential to configure all DCs in ADAudit Plus.

Step 2: Check for communication issues  

1. If log collection fails, check for RPC-related errors.

2. If you encounter "RPC Server Unavailable (Error Code 6ba)", refer to the RPC troubleshooting guide.

Step 3: Verify service account permissions  

To check the configured service account in ADAudit Plus:  

1. Go to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

To grant necessary permissions:  

1. Open Active Directory Users and Computers.

2. Navigate to Built-in > Event Log Readers.

3. Right-click Event Log Readers > Members > Add the configured service account.

Step 4: Enable necessary group policy on the Domain Controllers

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Settings name: Allow vulnerable Netlogon secure channel connections.

When the create vulnerable connections list (allow list) is configured:

Allow: The domain controller will allow the specified group/accounts to use a Netlogon secure channel without secure RPC.

Deny: This setting is the same as the default behavior. The domain controller will require the specified group/accounts to use a Netlogon secure channel with secure RPC.

Reference Microsoft article.

Step 4: Enable Real-Time log collection  

By default, ADAudit Plus collects non-security logs every 3 hours in agentless mode. To enable real-time collection, install the ADAudit Plus Agent.

Agent Installation Guide

Step 5: Check for stuck files in the event data folder  

If files are stuck in Installation Directory/ADAudit Plus/eventdata/raw or processed, contact ManageEngine Support for assistance.

Related topics and articles  

• Agent Installation Guide

• General Event Collection Troubleshooting

How to reach support  

If the issue persists, contact our support team here.