4. Problems with the encryption type are the most difficult to detect as the return error message of the WinRM service doesn't contain any information on what is actually going wrong during the authentication.
To troubleshoot Kerberos authentication issues the network traffic on the Collector machine on port 88 should be captured using a software like Wireshark.
Find attached 2 sample network captures, one for a successful Kerberos authentication (krb5.pcap) and one for a failed Kerberos authentication (krb5-failed.pcap).
In the krb5-failed.pcap you will notice a packet coming from the Domain Controller (KDC) which says KRB5KDC_ERR_ETYPE_NOSUPP.
The follwoing can be seen in this capture file:
1st packet: The Collector machine send a request to KDC to request a Kerberos ticket for the user specified in the Monitored Host Account Name.
2nd packet: KDC sends the response to the Collector machine KRB5_ERR_PREAUTH_REQUIRED and informs the Client which encryption types are supported.
In this case the KDC offers the folloing 3 encryption types: aes256-cts-hmac-sh1-96, rc4-hmac and des-cbc-md5
3rd packet: The Collector machine sends another request trying to use aes256-cts-hmac-sha1-96 encryption
4th packet: The KDC sends the response telling the Client that the encryption type is not supported (KRB5KDC_ERR_ETYPE_NOSUPP) and the Kerberos authentication fails and the collector is unable to collect events.
In this case it is recommended to try to use another encryption type offered by the KDC by setting the EncryptionTypes property in the config.xml file of the collector manually.
The config.xml file can be found in the installation directory of the collector. On a Windows machine the default installation directory is C:\Program Files\Symantec\Event Agent\collectors\msvista.