topic Re: Users failed to authenticate when they have Windows7 in their PCs...? in General Topics

Users failed to authenticate when they have Windows7 in their PCs...?

fw_admin — Thu, 18 Feb 2010 14:30:24 GMT

Hi,

We've got two PANAgents in W2008 and we've seen that our users running Windows 7 have some problems to be authenticated.

Our partner has adviced us that NetBios probing doesn't work with Windows7, that in new version of PAN OS 3.1 will be supported via WMI. But is there any known issue related to windows7 in the query to DCs from the PANAgent?

Is there any way to see from which DC is the PANAgent obtaining its information for mapping IP-user? What does it show each level of debug logging?

Regards,

Re: Users failed to authenticate when they have Windows7 in their PCs...?

nrice — Fri, 19 Feb 2010 00:19:06 GMT

Hello,

So far we don't know of any issues running the PAN Agent on Windows 7.

The statements in the PAN Agent logs beginning with "SERVICE_TICKET_GRANTED" will indicate the IP of the DC server and the name/IP of the user.

The debug options for the PAN Agent logging are:

None - No debugging output

Info - Default value. Includes all error/warning log output, as well as some system running information logs.

Debug- Includes all Info level log output, as well as most Debug related logs.

Verbose - Includes all Info and Debug level log output, as well as all verbose logs.

Re: Users failed to authenticate when they have Windows7 in their PCs...?

fw_admin — Tue, 16 Mar 2010 14:10:21 GMT

Hello,

I'm not asking about problems with the PANAgent installed on windows7. The question is if there is any knwon issue about PCs of users with Windows7. We're detecting some problems with the same Policies configured in our PA, when the user changes its PC from Windows XP to Windows 7.

When the user had WindowsXP, things run properly and the PANAgent was able to identify user-IP. Now, when the user has Windows7, the PANAgent isn't able to identify the same user-IP.

Thanks for description of debugs,

Regards.

Re: Users failed to authenticate when they have Windows7 in their PCs...?

swhyte — Thu, 18 Mar 2010 16:35:51 GMT

Hello Fw-admin,

there should be no issues with users running windows7. How the user identification agent maps users to ips has more to do with active directory. The user identification agent actually reads the security logs from the domain controller/s.

The domain controller must log "successful login" information.

These are the event ids that pan-agent looks at:

2000 $ 2003

SUCCESS_NET_LOGON = 540,

AUTH_TICKET_GRANTED = 672,

SERVICE_TICKET_GRANTED = 673,

TICKET_GRANTED_RENEW = 674,

ACCOUNT_USED_FOR_LOGON = 680,

2008

LOGON_SUCCESS_W2008 = 4624,

AUTH_TICKET_GRANTED_W2008 = 4768,

TICKET_GRANTED_RENEW_W2008 = 4770,

ACCOUNT_USED_FOR_LOGON_W2008 = 4776,

Howver, if we you have the user identification agent configured to also use Netbios probe, then the user identification agent will also send out a probe to all of the machines in the subnet for the allow list that you configured on the user identification agent. Then the user to ip mapping can change based on the results from the netbios probe. If a machine does not respond to the netbios probe or if there was a networking issue that caused the netbios probe to not reach a machine, then that user will be identified as unknown. Desktop hosts may be unable to respond to probes, due to 3rd party security applications or use of Windows Vista....thus, it is possible that Windows7 may be blocking or netbios probes or simply not responding to them.

thanks