01-11-2021 06:26 AM
Hi together,
I have here a Windows User Agent (tested with Version 9.1.1-8 & 9.1.2-9), which has connected to one Active Directory (MS2012 R2) where they scan the events. The rights from the agent user looks good and they find many client users. But after a few seconds the usernames normalized here.
Domain structure:
company.domain.com <- root domain with no users, such a few service accounts
departure.company.domain.com <- sub domain with the users
So when I enable the debug to verbose on the user-id agent, I see the following:
Event Log: UserA@lab.company.domain.com is connected
NormalizeUser_n returns usera@lab.company.domain.com
NormalizeUser returns lab\usera
UserIpMap: IP(1.1.1.1) Username usera@lab.company.domain.com) queued for xmission to firewall
NormalizeUser returns lab\usera
And a few seconds later:
NormalizeUser_n reutrns company\usera
UserIpMap: IP 1.1.1.1 login name gets changed from usera@lab.company.domain.com to company\usera with timeout 7200.
After a few seconds later:
NormalizeUser_n returns lab\usera
And this ping pong we have the full day. At the moment the UserAgent is disabled on the firewall. Because we want to exclude that the group mapping from the ldap server is here a problem. Only the user lab\usera is in the group mapping/policies and a user customer\usera is not existend.
Has anyone here a idea? What does the function NormalizeUser_n do?
Thanks
01-11-2021 10:33 AM
But the user-id agent is installed and reading logs for both the root domain and the subdomain correct? When you actually go and read the logs, do you see the security events in both lab\user and company\user when the user authenticates? Somewhere along the way, somethings seeing the username in both domains.
If you just quickly wanted to fix this you could use a wildcard entry in the ignore-user list. Forcing the firewall to ignore everything received with whatever format you don't want so that only the proper mapping is actually respected. So if you update the ignore-user list with a new entry for 'lab\*' for example, it'll ignore any user received from that domain.
01-11-2021 11:13 AM
How many group mapping profiles are present? We saw something similar in our environment where we had multiple group mapping profiles configured with different primary username attributes. Once the firewall refreshes the group mappings, the last 'primaryusername' will replace them and cause a mismatch
Example:
Group Mapping Profile 1
User/Group Attributes / Primary Username / 'UPN', secondary/email = samaccountname
Group include list 'admin users'
userfirst.last2@domain.com
Group Mapping Profile 2
User/Group Attributes / Primary Username / 'samaccountname', secondary = UPN
Group include list 'domain users'
domain\flast
domain\flast2
Once groupmapping profile '2' refreshed, the firewall would detect first.last as an attribute of domain\flast and replace the mapping. However, group mapping is a direct match...not an attribute match.
01-11-2021 01:07 PM
Hi @BPry,
thanks for your response. At the moment I have only connected a node from the lab.company.domain.com
So I think in the Event log, should be nothing from the root company.domain.com direct , but I'm not an AD guy.
The Service I use for my requests is a user from the root domain, maybe this is a problem.
The method with the ignore file I've always tested and this works. But in the future we also want to see, the Service Users which are direct in the root.
01-11-2021 01:10 PM
Hi @Chris_Johnston,
I've tested it with only one group mapping profile but at the moment I have disabled the connectivity from the firewall to the useragent and the agent also normalizes the users.
03-11-2022 09:55 AM
Did you ever happen to find a solution to this? I'm running into the same issue.
03-13-2022 11:22 PM
We disabled in the UserID Agent the "Enable Server Session Read" and that was all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
