03-02-2021 06:07 PM
Hi Guys,
Does anyone know or have experience on configuring User-ID agent to perform user mappings for users who are currently logged in to a domain controller.
The issue I am facing is that anyone logs into a domain controller is not being pickup by User-ID agent, so there is no user mapping for any of our domain controllers. All other servers on the same subnet as the DC are fine, no issues.
Any ideas?
Thanks
Leo
03-02-2021 10:55 PM
Hi @Leo_Huang , From what I can remember... this is because DC local logins are not registered in the security logs. I can’t remember what we did so will have a dig.
03-22-2021 11:30 AM
The normal server Monitoring should do the trick. Do you see the user login events in the Domain server logs, if not then it is a Windows issue. If they are present you will need to check many things like if the Palo Alto has the right credentials if login attemps are seen on the DC from the Palo Alto, does the zone has User id mapping allowed, do the DC allow a non Windows device like palo alto to connect or an external UserId agent is needed, maybe do pcap captures and check the Palo Alto authd log and so on:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
