In our deployment of PRTG (13.3.5.2871 x64 on Windows Server 2012 R2), we use an AD-authenticated user to query WMI sensors. This causes pretty high lsass.exe CPU usage on the probe machines, but more concerning is that it generates several thousand requests/sec to our domain controller. Watching a netmon/message analyzer trace, there is a pattern that happens on every sensor query:
KRB_AS_REQ [with PA-PAC-REQUEST] KRB_ERROR, KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required KRB_AS_REQ [with PA-ENC-TIMESTAMP, PA-PAC-REQUEST] KRB_AS_REP, Ticket {Realm: <domain>, Sname: krbtgt/<domain>} KRB_TGS_REQ KRB_TGS_REP
Is there a reason why a ticket request is made every time? Can the kerb ticket be cached and reused?
Article Comments
Thanks! I appreciate the reply. I will give that a try and see if it reduces lsass CPU usage and requests to the DC.
In addition though, is it possible to configure PRTG to cache the tickets (one per server SPN, perhaps) and reuse them instead of making a request to the KDC on each query?
Feb, 2014 - Permalink
Unfortunately this is under the hood of the WMI process that PRTG uses and isn't something that we can directly affect. Hopefully disabling the Pre-auth will be enough to stop the process from using so much CPU resources.
Feb, 2014 - Permalink
You can enable the “Do not require Kerberos preauthentication" option for that user account in AD Users & Computers -> properties -> account
Also, if the servers are 2003 DCs then you may also want to check out this option:
http://social.technet.microsoft.com/Forums/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity
Feb, 2014 - Permalink