topic Re: User-ID two usernames being identified by User-ID servers in General Topics

User-ID two usernames being identified by User-ID servers

DanielBostock — Wed, 26 Feb 2020 05:32:00 GMT

Hi,

I am having troubles with getting the Palo's in my network to only use the UPN of a user in our environment. I would like to start creating security policies to control staff members access to resources based on their AD user rather than IP address and then further to that leverage groups. Long term of course the idea is to leverage AD groups to control access to resources, however I need to prove that this will work on individual users first.

It is not working currently because what I am seeing in the monitor logs is either domain\user.name or user.name@domain.local and because of this whenever I make a security policy sometimes it works for the end user and then the next moment it doesn't work. It will work 100% of the time if I update the policy to domain\user.name and user.name@domain.local . This of course is not practical and scalable.

Currently we are using 2 Palo Alto Windows Server Agents to get the access data from our AD servers. Palo Alto monitor logs are reporting back connected and the User-ID log shows the source as being either of these servers.

Here is some screenshots of our current configuration for the user & group mapping.

Are there additional settings, or things I need to be doing to resolve this and either only match on domain\user.name or user.name@domain.local

Thanks.

Re: User-ID two usernames being identified by User-ID servers

reaper — Wed, 26 Feb 2020 07:17:12 GMT

if you want everything to be UPN, you'll need to set userPrincipalName in the User Object Search Filter, and in the primary Username, or set sAMAccountName in both

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Wed, 26 Feb 2020 23:46:56 GMT

@reaper - Thanks for your assistance here. I have updated the settings to match this but I am still seeing the duplicate username in the monitor traffic log and user-id log. Is this still expected? If this is expected and normal, I will do some policy testing just using the UPN.

Thanks.

Re: User-ID two usernames being identified by User-ID servers

kgopichand — Sun, 01 Mar 2020 03:05:58 GMT

@DanielBostock

Just wondering if this document would help.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpsCAC

Kavi

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Mon, 02 Mar 2020 03:58:12 GMT

@kgopichand- Thanks for sharing this post but I have already followed this guide and it sadly did not fix the issue.

Thanks,

Re: User-ID two usernames being identified by User-ID servers

kgopichand — Mon, 02 Mar 2020 17:32:06 GMT

@DanielBostock

Regards

Kavi

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Tue, 03 Mar 2020 01:24:50 GMT

@kgopichand- Thanks for helping here Kavi appreciate it.

I would prefer to use UPN. Is this possible or for the sake of testing and working out the issue would you prefer I stick with SAM?

I adjusted my configuration to the following.

When I run the command you have suggested, I get a blank response. So maybe I am missing a configuration step somewhere?

Thanks,

Re: User-ID two usernames being identified by User-ID servers

Mick_Ball — Tue, 03 Mar 2020 12:35:46 GMT

@DanielBostock

are your user-id servers the only source of user-id... check the user-id server monitor tab to see what it is forwarding to the palo.

Edit--- check the user-id log to see where the source is for the different user ID's.

if you have more than 1 user-id source (perhaps CP or GP) then increase your user-id agent timeout to 8-12 hours because it may be that the user ID agent timeout is too soon and other auth sources are remaining.

you can also exclude the domain part of usernames in the local user id agent setup but cannot see if this can be done with the server agents.

Re: User-ID two usernames being identified by User-ID servers

panwreaper — Tue, 03 Mar 2020 13:30:03 GMT

ust to be sure, your 'user domain' is set to the NetBIOS name, right? (domain, not domain.com)

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Mon, 09 Mar 2020 02:47:38 GMT

@Mick_Ball

Correct the user-id servers are the only source currently. I can confirm this when I review the User-ID monitor tab as you suggested. Further to this I can see both versions of the username coming through on both servers in the same moment.

As in user.name@domain.local & domain\user.name exist in a log entry at the same time. The second User-ID server also records both of these duplicate usernames and does so with a Palo User-ID Monitor tab entry 1 second apart from the first server, or sometimes the other way around.

It seems the User-ID servers are determined to give the Pan-OS bother UPN and SAM.

We have not rolled out GP yet, and it is something that I am thinking from an Internal Gateway perspective to overcome the User-ID issues. However that's a bigger project as we would need to deprecate our current client to site vpn solution.

I cannot see in the User-ID agent server a way to filter either, potentially it may be worthwhile for testing not using the User-ID agent servers?

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Mon, 09 Mar 2020 02:49:35 GMT

@panwreaper - Correct, it is set to NetBIOS. I have set the domain to 'domain' not 'domain.local'

Thanks,

Re: User-ID two usernames being identified by User-ID servers

reaper — Mon, 09 Mar 2020 06:11:27 GMT

The userid agent is supposed to simply pick up logs

Is it possible that it is either reading 2 different sources, or the eventlog is getting populated by 2 processes that write the username differently?

One workaround would be to set up thebignire_user_list.txt and exclude either domain\* or *@domain, but it would be better if you figure out why the userid agent is seeing both and suppress one source

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Mon, 09 Mar 2020 06:17:35 GMT

@reaper

I think there is something to what you are saying, however I will look into it tomorrow with a colleague. I have deployed User-ID in other environments before and not had this issue, there is something peculiar with this AD setup I am thinking.

The ignore text file which you meantion here, I have not seen a guide mention it, apologies if I have missed this though. Is this a file that should exist on the User-ID agent servers?

Thanks,

Re: User-ID two usernames being identified by User-ID servers

reaper — Mon, 09 Mar 2020 06:22:15 GMT

The file doesn't exist, you need to create it

This is a bit of tribal knowledge 😉 but it's described here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC

Re: User-ID two usernames being identified by User-ID servers

DanielBostock — Mon, 09 Mar 2020 07:20:34 GMT

@reaper

Hey mate, looks like this has really started to filter out the @domain SAM log entries. I will let this run over night and for some of the day tomorrow then begin testing some rules to see how it goes now with this filter and then let you know if this has solved it.

Really appreciate the help!

Thanks,

Re: User-ID two usernames being identified by User-ID servers

Remko — Thu, 01 Dec 2022 15:12:04 GMT

I bumped into this discussion and I believe I have an additional challange 😀

In our case the UPN and samAccountName are not the same. The samAccountName is the employee number. In the example below this is user1234

The user recognition works flawless on for example VPN connections and when I look at the group mappings it only shows UPN names.

Also when creating policies I can choose the user principal name.

The user data is fetched via Active Directory-WinRM

Looking at the "User-ID" logs it shows that the client (computer) provides the username.

In this case it is domain\sAMAccountName

I would guess that a user has logged onto with his employee number.

This is also shown in the Traffic Logs.

But there does not appear to be a match between short-domain\sAMAcountName and the UPN.

There is a match on FQDN-DomainName\sAMAccountName

Most likely I need to find the solution to this problem in the alternate UserName fields.

Any idea what needs to be set to find the correct match.

Example username

UPN : john.doe@acme.com

acme.com\user1234

acme.com\john.doe

needed:

ac\user1234

where ac is the short domain name instead of the FQDN

Any thoughts are most welcome.

Re: User-ID two usernames being identified by User-ID servers

Remko — Thu, 08 Dec 2022 11:56:43 GMT

Above problem has been resolved by changing the Domain Settings in the Group Mapping to the "Short" domain name instead of the FQDN

Users are now correctly identified.

Re: User-ID two usernames being identified by User-ID servers

carolwu — Thu, 23 Oct 2025 08:59:29 GMT

Hi,

I'm also facing the same problem, how did you solve it in the end?

Thanks,

Carol