Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
I have some problems with the DC Agent polling workstations from time to time.
I have noticed in the security log on some workstations we get a 537 event generated by the service account of the DC agent:
Logon Failure: Reason: An error occurred during logon User Name: The sercice account for the DC Agent Domain: Our Domain Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Status code: 0xC00002EE Substatus code: 0x0 Anyone have any ideas what could be causing this?
Logon Failure:
Reason: An error occurred during logon
User Name: The sercice account for the DC Agent
Domain: Our Domain
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Anyone have any ideas what could be causing this?
Workstation Polling. Look in the DC Agent config under User Identification in Settings, you'll see there are settings there both for DC Polling and Workstation Polling. My guess is your service account doesn't have permission on the workstations but that box is checked so it's trying anyway. Just turn off workstation polling and you should be fine.
For more info: Workstation Polling is a backup method for when DC Agent doesn't grab a username for an IP. It reaches out to try to log into the machine and determine the current logged in user (how exactly it does this I forget). With more environments being locked down internally, both from a Windows and a network standpoint Workstation Polling gets harder and harder to keep working properly and its benefits are marginal. In the past workstation polling would break every couple months with windows patching anyway. For most cases DC polling alone will be enough.
Thanks for the reply. My service account definately has the required permission, it just seems to generate these events on some workstations. It may be a patching thing. The DC polling is fine for most users, just a few people don't like logging off every day ;). I'm looking at introducing the logon agent which should mitigate this in the future.
In that case the logs are very vague and could be any number of issues.
I have Workstation polling enabled on my environment but only because it's working without issue... if it gives me problems in the future I won't hesitate to shut it off.
You shouldn't need to enable WKSPolling just because some people have to log back in each day... that sounds like your DC Agent configs are a bit too strict. If you set the Max Timeout for DC Agent to 24 hours, for example, that means that it'll take 24 hours of NO internet access from that computer before DC Agent wipes the user identification. That would mean then only on Monday people have to relog in.
