10-28-2015 05:16 AM - edited 10-28-2015 05:19 AM
Hi all,
I sometimes have a really hard life mapping domain users with old Windows 2003 forests using UID Agent (no matter if version 6 or 7))
I'll try to explain: when and only when using UID Agent I cannot read all users logon events or, worse, I can't read users at all, ending up having not all domain users transparently mapped and issues with captive portal showing up to not yet mapped users.
It's been a while that I use a simple workaround, that is to say replacing the UID Agent with the old PANAgent...
I know this is absurd, but PANAgent can always read all users, the problem is that the doc states it's no more supported starting from PanOS 6.0 (though it appears to be still working with 7.0 too...). So far I'm convinced that this must not be related to the audit policies on the domain controllers.
According to the docs these are the Windows event logs the UID tries to lookup
Windows 2000 - 2003
SUCCESS_NET_LOGON = 540
AUTH_TICKET_GRANTED = 672
SERVICE_TICKET_GRANTED = 673
TICKET_GRANTED_RENEW = 674
ACCOUNT_USED_FOR_LOGON = 680
Windows 2008
LOGON_SUCCESS_W2008 = 4624
AUTH_TICKET_GRANTED_W2008 = 4768
SERVICE_TICKET_GRANTED = 4769
TICKET_GRANTED_RENEW_W2008 = 4770
ACCOUNT_USED_FOR_LOGON_W2008 = 4776
Anybody having similar issues?
Of course I don't like keep on using PANAgent, but if it can map all users, UID must be able too.
10-28-2015 06:04 AM
I'm kind of confused...
Your issue is that in your enviornment UIA isn't always providing user attribution for users logged into your domain?
And you're saying that the CP process isn't fully identifying the remaining users that have not been idenfited?
10-28-2015 06:50 AM
Do you have only "Read Security Log" checked or "Read Session" aswell under user identification?
First contains only logon events, other access to file servers and network printing aswell.
10-28-2015 03:24 PM
Yes UIA isn't always able to read windows logon events, while the old PANAgent is.
Please note that I have sometimes this issue with very old windows domains.
As for the CP, when and if it's configured as a "complementary" id mechanism with respect to trasparent user-id by the UIA, it bothers users because trasparent id fails. Just to stay on topic, please forget about CP, I have problems with UIA AND with old domains only.
10-28-2015 03:28 PM
And yes, of course I have the "Enable Security Log Monitor" option flagged.
PANAgent in the very same W2003 domains and with the very same domain controllers always reads all logon events...
it's about since I've started working with PaloAlto (3 years ago) that I sometimes experience this strange behaviour and really can't understand why I have to rollback to PANagent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
