https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379103#M89547 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104430">@Chris_Johnston</a>,&nbsp;</P><P>I've tested it with only one group mapping profile but at the moment I have disabled the connectivity from the firewall to the useragent and the agent also normalizes the users.&nbsp;</P> Mon, 11 Jan 2021 21:10:04 GMT kan3de 2021-01-11T21:10:04Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/378972#M89529 <P>Hi together,&nbsp;</P><P>&nbsp;</P><P>I have here a Windows User Agent (tested with Version 9.1.1-8 &amp; 9.1.2-9), which has connected to one Active Directory (MS2012 R2) where they scan the events. The rights from the agent user looks good and they find many client users. But after a few seconds the usernames normalized&nbsp; here.&nbsp;</P><P>&nbsp;</P><P>Domain structure:&nbsp;</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;company.domain.com&nbsp; &lt;- root domain with no users, such a few service accounts</P><P>departure.company.domain.com &lt;- sub domain with the users</P><P>&nbsp;</P><P>So when I enable the debug to verbose on the user-id agent, I see the following:&nbsp;</P><P>Event Log: <A href="mailto:UserA@lab.company.domain.com" target="_blank">UserA@lab.company.domain.com</A>&nbsp;is connected</P><P>NormalizeUser_n returns <A href="mailto:usera@lab.company.domain.com" target="_blank">usera@lab.company.domain.com</A></P><P>NormalizeUser returns <STRONG>lab\usera</STRONG></P><P>UserIpMap: IP(1.1.1.1) Username <A href="mailto:usera@lab.company.domain.com" target="_blank">usera@lab.company.domain.com</A>) queued for xmission to firewall</P><P>NormalizeUser returns <STRONG>lab\usera</STRONG></P><P>&nbsp;</P><P>And a few seconds later:&nbsp;</P><P>NormalizeUser_n reutrns <STRONG>company\usera</STRONG></P><P>UserIpMap: IP 1.1.1.1 login name gets changed from <A href="mailto:usera@lab.company.domain.com" target="_blank">usera@lab.company.domain.com</A>&nbsp;to <STRONG>company\usera</STRONG> with timeout 7200.&nbsp;</P><P>&nbsp;</P><P>After a few seconds later:&nbsp;</P><P>NormalizeUser_n returns <STRONG>lab\usera</STRONG></P><P>&nbsp;</P><P>And this ping pong we have the full day. At the moment the UserAgent is disabled on the firewall. Because we want to exclude that the group mapping from the ldap server is here a problem. Only the user lab\usera is in the group mapping/policies and a user customer\usera is not existend.&nbsp;</P><P>&nbsp;</P><P>Has anyone here a idea? What does the function&nbsp;NormalizeUser_n do?&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Jan 2021 14:26:15 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/378972#M89529 kan3de 2021-01-11T14:26:15Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379062#M89539 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/106736">@kan3de</a>,</P> <P>But the user-id agent is installed and reading logs for both the root domain and the subdomain correct? When you actually go and read the logs, do you see the security events in both lab\user and company\user when the user authenticates? Somewhere along the way, somethings seeing the username in both domains.&nbsp;</P> <P>&nbsp;</P> <P>If you just quickly wanted to fix this you could use a wildcard entry in the ignore-user list. Forcing the firewall to ignore everything received with whatever format you don't want so that only the proper mapping is actually respected. So if you update the ignore-user list with a new entry for 'lab\*' for example, it'll ignore any user received from that domain.&nbsp;</P> Mon, 11 Jan 2021 18:33:05 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379062#M89539 BPry 2021-01-11T18:33:05Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379078#M89544 <P>How many group mapping profiles are present?&nbsp; We saw something similar in our environment where we had multiple group mapping profiles configured with different primary username attributes.&nbsp; Once the firewall refreshes the group mappings, the last 'primaryusername' will replace them and cause a mismatch</P><P>&nbsp;</P><P>Example:</P><P>Group Mapping Profile 1<BR />User/Group Attributes / Primary Username / 'UPN', secondary/email = samaccountname</P><P>Group include list 'admin users'</P><P><A href="mailto:userfirst.last@domain.com" target="_blank">userfirst.last@domain.com</A></P><P>userfirst.last2@domain.com</P><P>&nbsp;</P><P>Group Mapping Profile 2<BR />User/Group Attributes / Primary Username / 'samaccountname', secondary = UPN</P><P>Group include list 'domain users'</P><P>domain\flast</P><P>domain\flast2</P><P>&nbsp;</P><P>Once groupmapping profile '2' refreshed, the firewall would detect first.last as an attribute of domain\flast and replace the mapping.&nbsp; However, group mapping is a direct match...not an attribute match.</P> Mon, 11 Jan 2021 19:13:36 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379078#M89544 Chris_Johnston 2021-01-11T19:13:36Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379102#M89546 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>,&nbsp;</P><P>thanks for your response. At the moment I have only connected a node from the&nbsp;<A href="mailto:usera@lab.company.domain.com" target="_blank" rel="nofollow noopener noreferrer">lab.company.domain.com</A></P><P>So I think in the Event log, should be nothing from the root&nbsp;company.domain.com direct , but I'm not an AD guy.&nbsp;</P><P>The Service I use for my requests is a user from the root domain, maybe this is a problem.&nbsp;</P><P>&nbsp;</P><P>The method with the ignore file I've always tested and this works. But in the future we also want to see, the Service Users which are direct in the root.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Jan 2021 21:07:36 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379102#M89546 kan3de 2021-01-11T21:07:36Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379103#M89547 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104430">@Chris_Johnston</a>,&nbsp;</P><P>I've tested it with only one group mapping profile but at the moment I have disabled the connectivity from the firewall to the useragent and the agent also normalizes the users.&nbsp;</P> Mon, 11 Jan 2021 21:10:04 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/379103#M89547 kan3de 2021-01-11T21:10:04Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/472427#M103209 <P>Did you ever happen to find a solution to this? I'm running into the same issue.</P> Fri, 11 Mar 2022 17:55:33 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/472427#M103209 TravisChaney 2022-03-11T17:55:33Z https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/472774#M103243 <P>We disabled in the UserID Agent the "Enable Server Session Read" and that was all.&nbsp;</P><P>&nbsp;</P> Mon, 14 Mar 2022 06:22:55 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-with-windows-user-id-agent-and-the-normalized-users/m-p/472774#M103243 kan3de 2022-03-14T06:22:55Z