I am having issues with getting the user-mappings after configuring the PAN as an agentless user-id with an AD. I have followed all the steps in this document
All are good except that when I run the CLI command > show user ip-user-mapping all
Solved! Go to Solution.
Check whether service account created for pulling user-ip mapping has rights for 'Manage auditing and security log' policy and 'DCOM: Machine launch restriction.' policy.
You can find 'Manage auditing and security log' policy under 'User Rights Assignment' in Group policy management and 'DCOM: Machine Launch restriction...' policy under 'Security options' in same group policy management for DC.
No, Ldap server is configuration is required to pull user-group mappings, not in this case. If you're sure about the service account privileges(Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.), can you ensure the status of the AD shows up as 'Connected' on the firewall?
You can run the following command to check the statistics as well-
> show user server-monitor state all
> show user server-monitor statistics
Also, please ensure the firewall is connected to all the DC's the users are logging on to. User-ip-mappings are retrieved by the firewall by reading successful logon events from the security logs on DC. You can run 'set l' on the windows command prompt and that will show the DC user is logging onto. If all this is in place, looking at the userid debug logs should help.
> debug user-id on debug
> debug user-id set userid servermonitor
> debug user-id set userid basic
> debug user-id log-ip-user-mapping yes
> tail follow yes mp-log useridd.log
To turn these off-
> debug user-id log-ip-user-mapping no
> debug user-id unset all
>debug user-id on info
This will be a helpful document for you:
Hope that helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!