topic Re: User-ID Agent Windows 2003 logon events in General Topics

User-ID Agent Windows 2003 logon events

errevisystem — Wed, 28 Oct 2015 12:19:37 GMT

Hi all,

I sometimes have a really hard life mapping domain users with old Windows 2003 forests using UID Agent (no matter if version 6 or 7))

I'll try to explain: when and only when using UID Agent I cannot read all users logon events or, worse, I can't read users at all, ending up having not all domain users transparently mapped and issues with captive portal showing up to not yet mapped users.

It's been a while that I use a simple workaround, that is to say replacing the UID Agent with the old PANAgent...

I know this is absurd, but PANAgent can always read all users, the problem is that the doc states it's no more supported starting from PanOS 6.0 (though it appears to be still working with 7.0 too...). So far I'm convinced that this must not be related to the audit policies on the domain controllers.

According to the docs these are the Windows event logs the UID tries to lookup

Windows 2000 - 2003
    SUCCESS_NET_LOGON = 540
    AUTH_TICKET_GRANTED = 672
    SERVICE_TICKET_GRANTED = 673
    TICKET_GRANTED_RENEW = 674
    ACCOUNT_USED_FOR_LOGON = 680

Windows 2008
    LOGON_SUCCESS_W2008 = 4624
    AUTH_TICKET_GRANTED_W2008 = 4768
    SERVICE_TICKET_GRANTED = 4769
    TICKET_GRANTED_RENEW_W2008 = 4770
    ACCOUNT_USED_FOR_LOGON_W2008 = 4776

Anybody having similar issues?

Of course I don't like keep on using PANAgent, but if it can map all users, UID must be able too.

Re: User-ID Agent Windows 2003 logon events

Brandon_Wertz — Wed, 28 Oct 2015 13:04:57 GMT

I'm kind of confused...

Your issue is that in your enviornment UIA isn't always providing user attribution for users logged into your domain?

And you're saying that the CP process isn't fully identifying the remaining users that have not been idenfited?

Re: User-ID Agent Windows 2003 logon events

Raido_Rattameister — Wed, 28 Oct 2015 13:50:02 GMT

Do you have only "Read Security Log" checked or "Read Session" aswell under user identification?

First contains only logon events, other access to file servers and network printing aswell.

Re: User-ID Agent Windows 2003 logon events

errevisystem — Wed, 28 Oct 2015 22:24:09 GMT

Yes UIA isn't always able to read windows logon events, while the old PANAgent is.

Please note that I have sometimes this issue with very old windows domains.

As for the CP, when and if it's configured as a "complementary" id mechanism with respect to trasparent user-id by the UIA, it bothers users because trasparent id fails. Just to stay on topic, please forget about CP, I have problems with UIA AND with old domains only.

Re: User-ID Agent Windows 2003 logon events

errevisystem — Wed, 28 Oct 2015 22:28:59 GMT

And yes, of course I have the "Enable Security Log Monitor" option flagged.

PANAgent in the very same W2003 domains and with the very same domain controllers always reads all logon events...

it's about since I've started working with PaloAlto (3 years ago) that I sometimes experience this strange behaviour and really can't understand why I have to rollback to PANagent.