I have here a Windows User Agent (tested with Version 9.1.1-8 & 9.1.2-9), which has connected to one Active Directory (MS2012 R2) where they scan the events. The rights from the agent user looks good and they find many client users. But after a few seconds the usernames normalized here.
company.domain.com <- root domain with no users, such a few service accounts
departure.company.domain.com <- sub domain with the users
So when I enable the debug to verbose on the user-id agent, I see the following:
Event Log: UserA@lab.company.domain.com is connected
NormalizeUser_n returns firstname.lastname@example.org
NormalizeUser returns lab\usera
UserIpMap: IP(220.127.116.11) Username email@example.com) queued for xmission to firewall
NormalizeUser returns lab\usera
And a few seconds later:
NormalizeUser_n reutrns company\usera
UserIpMap: IP 18.104.22.168 login name gets changed from firstname.lastname@example.org to company\usera with timeout 7200.
After a few seconds later:
NormalizeUser_n returns lab\usera
And this ping pong we have the full day. At the moment the UserAgent is disabled on the firewall. Because we want to exclude that the group mapping from the ldap server is here a problem. Only the user lab\usera is in the group mapping/policies and a user customer\usera is not existend.
Has anyone here a idea? What does the function NormalizeUser_n do?
But the user-id agent is installed and reading logs for both the root domain and the subdomain correct? When you actually go and read the logs, do you see the security events in both lab\user and company\user when the user authenticates? Somewhere along the way, somethings seeing the username in both domains.
If you just quickly wanted to fix this you could use a wildcard entry in the ignore-user list. Forcing the firewall to ignore everything received with whatever format you don't want so that only the proper mapping is actually respected. So if you update the ignore-user list with a new entry for 'lab\*' for example, it'll ignore any user received from that domain.
How many group mapping profiles are present? We saw something similar in our environment where we had multiple group mapping profiles configured with different primary username attributes. Once the firewall refreshes the group mappings, the last 'primaryusername' will replace them and cause a mismatch
Group Mapping Profile 1
User/Group Attributes / Primary Username / 'UPN', secondary/email = samaccountname
Group include list 'admin users'
Group Mapping Profile 2
User/Group Attributes / Primary Username / 'samaccountname', secondary = UPN
Group include list 'domain users'
Once groupmapping profile '2' refreshed, the firewall would detect first.last as an attribute of domain\flast and replace the mapping. However, group mapping is a direct match...not an attribute match.
thanks for your response. At the moment I have only connected a node from the lab.company.domain.com
So I think in the Event log, should be nothing from the root company.domain.com direct , but I'm not an AD guy.
The Service I use for my requests is a user from the root domain, maybe this is a problem.
The method with the ignore file I've always tested and this works. But in the future we also want to see, the Service Users which are direct in the root.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!