topic Re: user id not identifying user correctly in General Topics

user id not identifying user correctly

DavidBleek — Mon, 06 Aug 2018 10:27:58 GMT

Hi All,

In the middle of a domain migration and users that have been migrated are not being identified correctly. The user that is logged into the new domain gets a blocked message but on the blocked message where it displays the username it shows their old domain \ username. (username being correct and the domain being the old one).

I have the user id agent running on both domains but user id is not listing the user correctly.

The users account for the rest of the network is working correctly.

Has anyone else come across this?

Re: user id not identifying user correctly

Mick_Ball — Mon, 06 Aug 2018 11:04:34 GMT

if you enter in CLI

show user group name "fqdn of your AD group from new domain"

can you see all the users listed.

Re: user id not identifying user correctly

Mick_Ball — Mon, 06 Aug 2018 11:19:02 GMT

also...

what is the ip mapping timeout set to on the agent.

if this time has elapsed then there should be no record of this user on the old domain mapping.

if it is being renewed then perhaps something on the users device is still auth'ing to the old domain.

Re: user id not identifying user correctly

Remo — Mon, 06 Aug 2018 11:24:58 GMT

@DavidBleek

I assume you have a two-way trust between the domains? And the computers, are these also migrated or only the useraccounts?

Re: user id not identifying user correctly

DavidBleek — Mon, 06 Aug 2018 12:17:23 GMT

yes its a 2 way trust, only user accounts have been migrated

Re: user id not identifying user correctly

DavidBleek — Mon, 06 Aug 2018 12:21:12 GMT

@Mick_Ball probing is set to 20 mins.

if I turn off "enable Session" from the user mapping user id agent set up tab under devive-iser identification then the user displays correctly but we now get a TLS error for all users so had to turn it back on.

Re: user id not identifying user correctly

Remo — Mon, 06 Aug 2018 15:24:15 GMT

@DavidBleek

Are all users allready migrated or are they migrated slowly over time? Do you use Microsoft Exchange and if yes, do you have these also configured as source in your User-ID Agent configuration?

Re: user id not identifying user correctly

DavidBleek — Tue, 07 Aug 2018 08:06:49 GMT

@Remo They are being migrated slowly. We use office 365

Re: user id not identifying user correctly

Mick_Ball — Tue, 07 Aug 2018 08:50:26 GMT

would it not work if you added the migrated users (now and as you migrate them) to a user exclude list on the agent pointing to the old domain.

Re: user id not identifying user correctly

Remo — Tue, 07 Aug 2018 09:02:15 GMT

Hi @DavidBleek

Unfortunetely in this case I cannot really help. I had the same problem. We are also in a domain migration where users get new computers which are joined to the new domain but the users were not migrated at the same time they receive the new computer. In my case we don't even have User-ID but the users show up anyway with "olddomain\user" AND "newdomain\user".

As soon as the users are migrated and so user and comouter are in the new domain, the problem was gone. Adding exchangeservers would also help in your case, but I undersand that this could be difficult with O365 (unless you have exchange on premise). Maybe @Mick_Ball has a good idea to solve this, but my recommendation is: Use as much User-ID sources as possible where you get the mapping from the new domain (Global Protect internal gateway, Captive portal with Kerberos/SAML single sign on, ...). This way the mapping from the old domain should be overriden as fast as possible (like the situation you have with server session read).