Mac OSx & UserID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mac OSx & UserID

L1 Bithead

I have a question. Maybe someone has run across this.

I am using the server monitoring function of Palo

I realize that I can use the user-ID agent and set it to never forget the user mapping, but I am looking for a more accurate way of keeping this mapping.

We have mac's that authenticate to a win 2008 domain. Initially I get the user to ip mapping, after the Palo cache expires the mapping is lost. Mac's do not auto update the cache.

My windows machines work normally, The initial mapping is correct and if I use any network resources the user mapping gets updated in Palo.

Any idea's, suggestions, etc

-Joe

1 accepted solution

Accepted Solutions

If you access to a windows share (part of domain) for sure, you need authentication.

Try to ad your file server as server in the User-ID client.

I know that the user-ID is able to minotor AD / Exchnage / File server then try that.

V.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi,

When you are using windows machine in AD, you open a session and then after that, periodically, your session is renewed in the AD.

The palo is polling your security event and see, ever you new session and your renew then update is local cahe then you stay authenticated.

In Mac world, not sure but , you open a session in AD then generate event then be authen in the palo. After couple of minutes, maybe your Mac doon't ask for session renew then no event in the AD then your authenti expire in the palo.. If you try to access a network ressource, in background you are authenticate again in the domain then you are known by the palo.

To be sure, you can check the event in your AD:

Windows 2000/2003:

SUCCESS_NET_LOGON = 540,

AUTH_TICKET_GRANTED = 672,

SERVICE_TICKET_GRANTED = 673,

TICKET_GRANTED_RENEW = 674,

ACCOUNT_USED_FOR_LOGON = 680,

Windows 2008:

LOGON_SUCCESS_W2008 = 4624,

AUTH_TICKET_GRANTED_W2008 = 4768,

TICKET_GRANTED_RENEW_W2008 = 4770,

ACCOUNT_USED_FOR_LOGON_W2008 = 4776,

Hope help

V.

I agree that is whats happening, except when I use a network resource with the mac, it never creates a new security log.

The resource (mapped share, printer, etc) do work on the mac, but i do not see any security logs being renewed..

I did a custom filter on AD log for the mentioned ID events

-Joe

If you access to a windows share (part of domain) for sure, you need authentication.

Try to ad your file server as server in the User-ID client.

I know that the user-ID is able to minotor AD / Exchnage / File server then try that.

V.

L1 Bithead

Great idea, after an initial check this might just work. I was only monitoring my domain controllers. I do see more activity on the specific server for logon request coming from my mac.I will update this tomorrow.... Smiley Happy

Sorry about the delay int getting back to you Vince, been getting slammed here.

It looks like monitoring the servers did the trick. Thanks for the suggestion.

Cheers

-Joe

  • 1 accepted solution
  • 6081 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!