User-ID mapping

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID mapping



Hello. We have such kind of problem. This user has allowed privilege to visit this category and the other one, but PA very frequently identify it by ip, not the username (with User-ID). we use agentless client for mapping between PA and our AD.

The problem happens very often with a small amount of users (for example exactly with this one). Maybe some of you  have already faced with this?

Thanks in advance.


Cyber Elite
Cyber Elite


Could you send a screenshot of your User Mapping settings, specifically what your User Identification Timeout is set to. The biggest cause for this type of issue is inproper Log Monitor Frequency or having the User Identification Timeout set to low to actually keep the user mapped to the IP. 




you think that I should set this timeout higher than 45 minutes?



Most definitively this is what's causing your issue. If the user does not generate an authentication event on the server within the 45 minute time period you are losing the mapping. Most office workers, esspecially on Windows, will not be generating any events on the AD server for the agent to read within a 45 minute time period. 


I changed this time to 3 hours. Right now this problem happens only at one user. Hope this is going to help me.
Thank you.

Sorry for hijacking this thread, but I have been looking for a recommendation when it comes to user-id timeout value. We have a few thousand users logging in and out of Citrix throughout the day, but others work only locally on their laptops. We have user-id agents on all domain controllers and TS agents on all Citrix servers. In addition we have loads of users with BYOD devices on a wireless network where we get IP-user-mappings from the wireless controllers (Syslog events).


The timeout value really depends on the enviroment. In an active enviroment where people will be generating logging events throughout the day, such as Citrix, the time can be set relatively low. When employees are working on one machine throughout the day I would generally set the timeout to equal your average work period, for example 480 mins for a total of an 8 hour ageout period. 

The only thing to really remember is that setting a higher ageout period could cause users to maintain the last user mapping longer than intended. In the majority of rulebases this wouldn't really be a big concern, but that would be dependant on what your configuration actually looks like. 

Thanks @BPry

My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time.


What do you currently have your ageout value set to? You generally would not want to get any info from your Exchange servers.



45 minutes.


You really shouldn't have any issues raising this value, the Citrix information should stay up-to-date and your thick clients will maintain their user-id information. 

I would recommend adding Exchange as another source for User-ID mapping.  Users may only login to the domain once in a day, but they check e-mail many times throughout the day.  Each time they open/use Outlook is another opportunity to refresh their user-to-ipaddress mapping.  With User-ID, more sources is a good thing(tm).  


Also, what's your DHCP lease set to?  A good starting point for your user mapping timeout value is 1/2 the DHCP lease time.  

For employee clients we use 8 days as DHCP lease time, so 4 days user-ID timeout would perhaps be a bit excessive 🙂 But thanks for all the input, I'll probably increase the timeout to 4 hours as a start.


What do others think about adding Exchange servers to the user-ID agents?


A max timeout for user IP mapping is 24hrs so you don't need to worry about anything beyond that.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!