User-ID Agent Windows 2003 logon events

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent Windows 2003 logon events

L2 Linker

Hi all,

I sometimes have a really hard life mapping domain users with old Windows 2003 forests using UID Agent (no matter if version 6 or 7))

I'll try to explain: when and only when using UID Agent I cannot read all users logon events or, worse, I can't read users at all, ending up having not all domain users transparently mapped and issues with captive portal showing up to not yet mapped users.

It's been a while that I use a simple workaround, that is to say replacing the UID Agent with the old PANAgent...

I know this is absurd, but PANAgent can always read all users, the problem is that the doc states it's no more supported starting from PanOS 6.0 (though it appears to be still working with 7.0 too...). So far I'm convinced that this must not be related to the audit policies on the domain controllers.

According to the docs these are the Windows event logs the UID tries to lookup

 

Windows 2000 - 2003
    SUCCESS_NET_LOGON = 540
    AUTH_TICKET_GRANTED = 672
    SERVICE_TICKET_GRANTED = 673
    TICKET_GRANTED_RENEW = 674
    ACCOUNT_USED_FOR_LOGON = 680

Windows 2008
    LOGON_SUCCESS_W2008 = 4624
    AUTH_TICKET_GRANTED_W2008 = 4768
    SERVICE_TICKET_GRANTED = 4769
    TICKET_GRANTED_RENEW_W2008 = 4770
    ACCOUNT_USED_FOR_LOGON_W2008 = 4776

 

Anybody having similar issues?

Of course I don't like keep on using PANAgent, but if it can map all users, UID must be able too.

4 REPLIES 4

L6 Presenter

I'm kind of confused...

 

Your issue is that in your enviornment UIA isn't always providing user attribution for users logged into your domain?

 

And you're saying that the CP process isn't fully identifying the remaining users that have not been idenfited? 

Do you have only "Read Security Log" checked or "Read Session" aswell under user identification?

First contains only logon events, other access to file servers and network printing aswell.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes UIA isn't always able to read windows logon events, while the old PANAgent is.

Please note that I have sometimes this issue with very old windows domains.

 

As for the CP, when and if it's configured as a "complementary" id mechanism with respect to trasparent user-id by the UIA, it bothers users because trasparent id fails. Just to stay on topic, please forget about CP, I have problems with UIA AND with old domains only.

And yes, of course I have the "Enable Security Log Monitor" option flagged.

 

PANAgent in the very same W2003 domains and with the very same domain controllers always reads all logon events...

 

it's about since I've started working with PaloAlto (3 years ago) that I sometimes experience this strange behaviour and really can't understand why I have to rollback to PANagent.

  • 2610 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!