All Apps and Add-ons

Splunk App for Windows Infrastructure: Why am I getting error "invalid attribute type in attribute list: msDS-PrincipalName" when running change or audit reports?

barrycuda72
Explorer

I am trying to use the Splunk App for Windows Infrastructure to track changes to AD groups and users.
Running on a Windows 2003 domain. I have installed the latest version of the app and the correct TA add-on for 2003 domains.
However when run any of the built-in change or audit reports it errors out with "invalid attribute type in attribute list: msDS-PrincipalName"
As far as I can tell this is an Active Directory attribute in AD 2008 an higher.

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi guys,

Please file a support ticket to have someone triage the issues you are experiencing. The sooner you do this, the sooner we can determine if it is a bug.

The msDS-PrincipalName attribute does not exist in Windows Server 2003 Active Directory services.

0 Karma

satishsdange
Builder

Your problem might be related to below "known issue"

http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/Releasenotes

Current known issues
The Splunk App for Windows Infrastructure has the following known issues:

In certain cases, the app setup prerequisite check prevents you from proceeding even though all prerequisite checks have passed. To work around the problem, confirm that the Splunk Add-on for Windows and the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch) have been activated (and not just installed) in the Apps page in Splunk Web. (TAG-9012)

0 Karma

barrycuda72
Explorer

I checked and I had previously activated that app and it passed the self test. The prerequisite check finds everything and processes just fine.

0 Karma

malmoore
Splunk Employee
Splunk Employee

Can you provide a screenshot of this error? Thanks.

0 Karma

barrycuda72
Explorer

I would send a screen shot if I could figure out how to put it here. As an fYI I built an entire new Splunk server and followed these steps to the letter http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/Releasenotes

Here is what is in the "New Search" box
|secrpt-large-groups(domain,100)

Here is the error message
⚠ External search command 'ldapgroup' returned error code 1. Script output = " ERROR "LDAPAttributeError at ""C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\ldap3\operation\search.py"", line 315 : invalid attribute type in attribute list: msDS-PrincipalName" "

0 Karma

sihamUfp
New Member

i have the same problem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...