Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk App for Windows Infrastructure: Why am ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for Windows Infrastructure: Why am I getting error "invalid attribute type in attribute list: msDS-PrincipalName" when running change or audit reports?
I am trying to use the Splunk App for Windows Infrastructure to track changes to AD groups and users.
Running on a Windows 2003 domain. I have installed the latest version of the app and the correct TA add-on for 2003 domains.
However when run any of the built-in change or audit reports it errors out with "invalid attribute type in attribute list: msDS-PrincipalName"
As far as I can tell this is an Active Directory attribute in AD 2008 an higher.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
Please file a support ticket to have someone triage the issues you are experiencing. The sooner you do this, the sooner we can determine if it is a bug.
The msDS-PrincipalName attribute does not exist in Windows Server 2003 Active Directory services.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem might be related to below "known issue"
http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/Releasenotes
Current known issues
The Splunk App for Windows Infrastructure has the following known issues:
In certain cases, the app setup prerequisite check prevents you from proceeding even though all prerequisite checks have passed. To work around the problem, confirm that the Splunk Add-on for Windows and the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch) have been activated (and not just installed) in the Apps page in Splunk Web. (TAG-9012)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked and I had previously activated that app and it passed the self test. The prerequisite check finds everything and processes just fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a screenshot of this error? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would send a screen shot if I could figure out how to put it here. As an fYI I built an entire new Splunk server and followed these steps to the letter http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/Releasenotes
Here is what is in the "New Search" box
|secrpt-large-groups(domain,100)
Here is the error message
⚠ External search command 'ldapgroup' returned error code 1. Script output = " ERROR "LDAPAttributeError at ""C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\ldap3\operation\search.py"", line 315 : invalid attribute type in attribute list: msDS-PrincipalName" "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have the same problem
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
