Problems with Windows User-ID Agent and the normalized Users

Reply
L1 Bithead

Problems with Windows User-ID Agent and the normalized Users

Hi together, 

 

I have here a Windows User Agent (tested with Version 9.1.1-8 & 9.1.2-9), which has connected to one Active Directory (MS2012 R2) where they scan the events. The rights from the agent user looks good and they find many client users. But after a few seconds the usernames normalized  here. 

 

Domain structure: 

 

                 company.domain.com  <- root domain with no users, such a few service accounts

departure.company.domain.com <- sub domain with the users

 

So when I enable the debug to verbose on the user-id agent, I see the following: 

Event Log: UserA@lab.company.domain.com is connected

NormalizeUser_n returns usera@lab.company.domain.com

NormalizeUser returns lab\usera

UserIpMap: IP(1.1.1.1) Username usera@lab.company.domain.com) queued for xmission to firewall

NormalizeUser returns lab\usera

 

And a few seconds later: 

NormalizeUser_n reutrns company\usera

UserIpMap: IP 1.1.1.1 login name gets changed from usera@lab.company.domain.com to company\usera with timeout 7200. 

 

After a few seconds later: 

NormalizeUser_n returns lab\usera

 

And this ping pong we have the full day. At the moment the UserAgent is disabled on the firewall. Because we want to exclude that the group mapping from the ldap server is here a problem. Only the user lab\usera is in the group mapping/policies and a user customer\usera is not existend. 

 

Has anyone here a idea? What does the function NormalizeUser_n do? 

 

Thanks

 

 

Cyber Elite

@kan3de,

But the user-id agent is installed and reading logs for both the root domain and the subdomain correct? When you actually go and read the logs, do you see the security events in both lab\user and company\user when the user authenticates? Somewhere along the way, somethings seeing the username in both domains. 

 

If you just quickly wanted to fix this you could use a wildcard entry in the ignore-user list. Forcing the firewall to ignore everything received with whatever format you don't want so that only the proper mapping is actually respected. So if you update the ignore-user list with a new entry for 'lab\*' for example, it'll ignore any user received from that domain. 

L1 Bithead

How many group mapping profiles are present?  We saw something similar in our environment where we had multiple group mapping profiles configured with different primary username attributes.  Once the firewall refreshes the group mappings, the last 'primaryusername' will replace them and cause a mismatch

 

Example:

Group Mapping Profile 1
User/Group Attributes / Primary Username / 'UPN', secondary/email = samaccountname

Group include list 'admin users'

userfirst.last@domain.com

userfirst.last2@domain.com

 

Group Mapping Profile 2
User/Group Attributes / Primary Username / 'samaccountname', secondary = UPN

Group include list 'domain users'

domain\flast

domain\flast2

 

Once groupmapping profile '2' refreshed, the firewall would detect first.last as an attribute of domain\flast and replace the mapping.  However, group mapping is a direct match...not an attribute match.

L1 Bithead

Hi @BPry

thanks for your response. At the moment I have only connected a node from the lab.company.domain.com

So I think in the Event log, should be nothing from the root company.domain.com direct , but I'm not an AD guy. 

The Service I use for my requests is a user from the root domain, maybe this is a problem. 

 

The method with the ignore file I've always tested and this works. But in the future we also want to see, the Service Users which are direct in the root. 

 

 

L1 Bithead

Hi @Chris_Johnston

I've tested it with only one group mapping profile but at the moment I have disabled the connectivity from the firewall to the useragent and the agent also normalizes the users. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!