Hi all,
I have a report from our Security team (probably Splunk logs) of failed kerberos authentication events to multiple Servers (Service indicates RPCSS/Host/Cifs) using the service account we used to poll and manage nodes (which templates would import from the node too).
The Source IP shows our main polling server, the destination IP the Server, and the Service shows as RPCSS\ServerHostname.Domain or Host\ServerHostname.Domain
The strange thing about the report is that 80% of the hosts its failing against are decommissioned from the environment (both in Orion and Active Directory).
There are hundreds of failed kerberos events per host but with these hosts not in Orion, I'm not sure how they are still showing up on these reports.
What I did find is that some of these decommissioned hosts were badly cleaned up, and their DNS records still existed in DNS manager. The IP assigned to the decommed node had been assigned to a different Server and considering many of our managed nodes in Orion did not specify the DNS name, I figured this could be the reason. I configured the FQDN for each node appearing on the report and cleaned up the old stale DNS records, which did drop failed event count but some still show up.
I'm not sure how a node that no longer exists in AD, DNS, Orion or elsewhere can show up with a count of 650 Kerberos failed authentication events in 7 days lol!
Any thoughts?
