User-ID mapping for users logged in to a domain controller

cancel
Showing results for 
Search instead for 
Did you mean: 

User-ID mapping for users logged in to a domain controller

L0 Member

Hi Guys,

 

Does anyone know or have experience on configuring User-ID agent to perform user mappings for users who are currently logged in to a domain controller.

 

The issue I am facing is that anyone logs into a domain controller is not being pickup by User-ID agent, so there is no user mapping for any of our domain controllers. All other servers on the same subnet as the DC are fine, no issues.

 

Any ideas?

 

Thanks


Leo

2 REPLIES 2

L7 Applicator

Hi @Leo_Huang , From what I can remember...  this is because DC local logins are not registered in the security logs. I can’t remember what we did so will have a dig. 

Cyber Elite
Cyber Elite

The normal server Monitoring should do the trick. Do you see the user login events  in the Domain server logs, if not then it is a Windows issue. If they are present you will need to check many things like if the Palo Alto has the right credentials if login attemps are seen on the DC from the Palo Alto, does the zone has User id mapping allowed, do the DC allow a non Windows device like palo alto to connect or an external UserId agent is needed, maybe do pcap captures and check the Palo Alto authd log and so on:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!