- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-10-2016 09:59 PM
Hi I'm attempting to implement userID on PAN-OS 7.0.6 within a multi-domain forest.
All of our workstations exist on one domain and users logging into those workstations exist on another domain within the same forest. I have the UserID agent setup on a member server on the workstation domain and it can correctly map the IP address to usernames on the user domain.
The issue I'm having is that within the policy if I set a group name in the workstation domain, it cannot match to the username which is being correctly identified within the monitor tab
I've seen articles dealing with multiple domains in a single forest but they tend to assume that the domains all have a contiguous DNS name space. Our environment doesn't have that, the user domain and workstation domain names are completley different (legacy reasons, I dont like it 🙂
Has anyone dealt with this before in the past?
05-16-2016 05:52 AM
1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)
No. Each security group has user accounts in the respective domains
2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)
1 Bind DN per domain. LDAP/389
3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.
Yeah, just the default settings minus Base/Bind DN
4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?
Yes. Essentially domains A, B, C, D, E, F, G, H. The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain. There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.
05-11-2016 06:09 AM
While I've removed the actual domains and am not displaying the targeted DCs within the domains for enumeration, I hope you get the context
Of the 8 domains all 8 are unique domains not following contiguous DNS name space. We use 4 UIAs, merely for load sharing purposes, that use same same service account in a single domain. Our UIAs can target all 8 domains because of a domain trust which we've established.
For LDAP profile themselves we do use specific SAs (service accounts) which exist in the respective domains.
Following this contruct I've had no issues matching security group policy with associated user tracking.
05-11-2016 06:14 AM
Here's a snippet of a user policy I'm using:
I'm successfully able to see these unique security groups in the different domains. While our UIA enviornment which uses a service account in only 1 of the 8 domains can target users which exist in all 8 of the unique domains
05-11-2016 11:30 PM
Hey thanks for the reply, it certainly does help. I have a couple of follow up questions if you dont mind, just to help me get it clear in my head.
1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)
2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)
3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.
4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?
Thanks for you help, I really appreciate it, this'll get me out of jam if I get it going.
Cheers.
05-16-2016 05:52 AM
1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)
No. Each security group has user accounts in the respective domains
2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)
1 Bind DN per domain. LDAP/389
3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.
Yeah, just the default settings minus Base/Bind DN
4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?
Yes. Essentially domains A, B, C, D, E, F, G, H. The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain. There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!