topic Re: User-ID sometimes missing ntlmdomain\ on the firewall in General Topics

User-ID sometimes missing ntlmdomain\ on the firewall

Dpeters1 — Fri, 11 Apr 2014 11:38:59 GMT

Hi,

I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping

However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon.

I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME...

This of course does not match rules with usernames specified in them.

Any ideas why it may drop the domain name occasionally?

Thanks

Dave

Re: User-ID sometimes missing ntlmdomain\ on the firewall

dpalani — Fri, 11 Apr 2014 17:52:10 GMT

Dave,

This could be a known issue. Fixed 5.0.7, bug id 52383.

PAN-OS 5.0.7: Addressed Issues

5.0.7 has software buffer issues and hence upgrade to this version is not recommended, 5.0.10 is a stable version comparatively.

HTH

Deepak

Re: User-ID sometimes missing ntlmdomain\ on the firewall

sjamaluddin — Sat, 12 Apr 2014 22:37:32 GMT

Do you know if those PCs from where the usernames appear without the domain are perhaps running some sort of service in the background that is only associated with the username (and is missing the domain). Do you see logon event on the AD / DC security events with just the username? What is the user-ip-mapping on the UserID agent when you see the logs on the firewall show only the username?

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Dpeters1 — Wed, 16 Apr 2014 10:32:35 GMT

Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ?

Unless it wasn't rolled into 5.0.8 for some reason...

Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Dpeters1 — Wed, 16 Apr 2014 10:46:31 GMT

Found this..

53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password.

Resolved in 5.0.11

So I'll be giving that a try!

Re: User-ID sometimes missing ntlmdomain\ on the firewall

dpalani — Wed, 16 Apr 2014 15:40:54 GMT

The fix in 5.0.7 is good for the succeeding maintenance release too, my recommendation of not moving to 5.0.7 is due to a software pool depletion issue that you might run into 5.0.7.

HTH

Re: User-ID sometimes missing ntlmdomain\ on the firewall

dmaynard — Thu, 22 May 2014 04:11:40 GMT

Is this a multi domain environment and do you have server session read enabled?

For multiple domain environments the data gathered from open sessions may not be accurate. This method does not deliver domain data with the user name and it is assumed that the user is a member of the domain that the monitored server is part of.