https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46375#M34097 <HTML><HEAD></HEAD><BODY><P>Bit of a 'how long is a piece of string question' I'm afraid, so many factors!</P><P></P><P>However - hopefully a bit more useful - one issue I found that could result in mapped users being 'lost' was enabling the 'Server Session' tracking in the agent.&nbsp; Not sure why specifically, but if this check returns a user mapping that does *not* tally with the currently mapped users the agent 'resets' the node so it doesn't have either account associated.</P><P></P><P>The next time some device activity raises an AD event entry the user account is rermapped, but this does cause periods where no user is known for the device, which sounds like it could be what you're seeing?</P><P></P><P>Try playing with the timeouts, settings etc; or enable transparent NTLM auth for that source IP so it will perform an interactive authentication as that way it will force a background authentication when the kiosk machine connects to the web and should block it.</P></BODY></HTML> Tue, 22 May 2012 17:17:41 GMT apackard 2012-05-22T17:17:41Z https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46374#M34096 <HTML><HEAD></HEAD><BODY><P>We have an AD account for which we restrict all Internet access via a user-based security rule. The account is an auto-logon account for certain kiosk-type machines in our environment. I'm finding that the username being used on the machine is not always recognized by PA, and as a result Internet traffic is being allowed. There are other times when it recognizes that account and properly blocks Internet access.</P><P></P><P>Does anyone know why there are times that the username is not known to PA, and is there anything I can do to fix that?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 22 May 2012 15:24:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46374#M34096 kmurphy6 2012-05-22T15:24:49Z https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46375#M34097 <HTML><HEAD></HEAD><BODY><P>Bit of a 'how long is a piece of string question' I'm afraid, so many factors!</P><P></P><P>However - hopefully a bit more useful - one issue I found that could result in mapped users being 'lost' was enabling the 'Server Session' tracking in the agent.&nbsp; Not sure why specifically, but if this check returns a user mapping that does *not* tally with the currently mapped users the agent 'resets' the node so it doesn't have either account associated.</P><P></P><P>The next time some device activity raises an AD event entry the user account is rermapped, but this does cause periods where no user is known for the device, which sounds like it could be what you're seeing?</P><P></P><P>Try playing with the timeouts, settings etc; or enable transparent NTLM auth for that source IP so it will perform an interactive authentication as that way it will force a background authentication when the kiosk machine connects to the web and should block it.</P></BODY></HTML> Tue, 22 May 2012 17:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46375#M34097 apackard 2012-05-22T17:17:41Z https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46376#M34098 <HTML><HEAD></HEAD><BODY><P>Thanks very much! I'll look into those suggestions....</P></BODY></HTML> Tue, 22 May 2012 17:37:15 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46376#M34098 kmurphy6 2012-05-22T17:37:15Z https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46377#M34099 <HTML><HEAD></HEAD><BODY><P>Also enabling WMI and disable NETBIOS seems to be recommended (given that your clients provides a WMI interface for the server running your userid agent).</P></BODY></HTML> Wed, 23 May 2012 06:28:14 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identifcation-gaps/m-p/46377#M34099 mikand 2012-05-23T06:28:14Z