User-ID Agent Setup Tips

User-ID Agent requirements:

• Must be running  Windows Server that is a member of the domain in question. Although User-ID Agent can be run directly on the AD server, it is not recommended.
• The service must be running as a domain account that has local administrator permissions on the User-ID Agent server.
• The service account must have permission to read the security log. In Windows 2008 and later domains, there is a built-in group, “Event Log Readers,” that provides sufficient rights for the agent. In earlier versions of Windows, the account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations.
• If using WMI probes, the service account must have the rights to read the CIMV2 namespace on the client workstation. The User-ID agent account needs to be added to the "Remote Desktop Users". Domain admin has this by default.
• If using only one User-ID Agent, make sure it includes all domain controllers in the discover list.
• The domain controller (DC) must log “successful login” information.

The User-ID Agent monitors the domain controllers for the following events:

• Windows 2003
  • 672 (Authentication Ticket Granted, which occurs on the logon moment),
  • 673 (Service Ticket Granted)
  • 674 (Ticket Granted Renewed which may happen several times during the logon session)
• Windows 2008 or higher
  • 4768 (Authentication Ticket Granted)
  • 4769 (Service Ticket Granted)
  • 4770 (Ticket Granted Renewed)
  • 4624 (Logon Success)
• For account logon, the DC records event ID 4768 as the first logon for authentication ticket request.
• No relevant account log-off event is recorded.
• If NetBIOS probing is enabled, any connections to a file or print service on the Monitored Server list is also read by the agent. These connections provide updated user-to-IP mapping information to the agent. In all cases, the newer event for user mapping overwrites older events.
• If WMI probing is enabled, make sure the probing interval is set to a reasonable value for the amount of workstations it may need to query. For example, if there are 5,000 hosts to probe, do not set a probing interval of 10 minutes.  Both settings are under User Identification > Setup > Client Probing on the User-ID agent :

  

• In some cases the WMI probe will fail because the workstation may be running a local firewall or it may not be a member of the domain. If this happens, the mapping can be deleted once the cache timeout is exceeded, even though the workstation is up and passing traffic. To test, run the following command from the User-ID agent.
  • wmic /node:workstationIPaddress computersystem get username
  • It should return the user currently logged in to that computer.
  • Windows firewalls can be set using these commands locally on the workstation or server if remotely configuring the firewall is not possible:
    • For Windows XP/Windows Server 2003: 
      netsh firewall set service RemoteAdmin enable
    • For Windows Vista/Windows Server 2008 (note that command line should be executed in the elevated command prompt): 
      netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
  • If you are not confident the workstations will respond to WMI probes, set the user ID cache timeout to a higher value since the mapping will be dependent upon the users login events. In this case, if the cache timeout is exceeded after the initial login event, the mapping will be deleted even though the user is still logged in. This setting is under User Identification > Setup > Cache on the User ID agent:

    

• Confirm that all the domain controllers are in the list of servers to monitor.  If not, not all the User-to-IP mappings may be included since any domain controller can potentially authenticate the users.
• Confirm the Domain Controller list is accurate by running the following command from a domain controller:
  • dsquery server –o rdn (which prints a list of your DCs). Remove any DCs that no longer exist.
• Confirm that the User ID is enabled on the zone in where the traffic is sourced. This setting is under Network > Zones: