We have an AD account for which we restrict all Internet access via a user-based security rule. The account is an auto-logon account for certain kiosk-type machines in our environment. I'm finding that the username being used on the machine is not always recognized by PA, and as a result Internet traffic is being allowed. There are other times when it recognizes that account and properly blocks Internet access.
Does anyone know why there are times that the username is not known to PA, and is there anything I can do to fix that?
Bit of a 'how long is a piece of string question' I'm afraid, so many factors!
However - hopefully a bit more useful - one issue I found that could result in mapped users being 'lost' was enabling the 'Server Session' tracking in the agent. Not sure why specifically, but if this check returns a user mapping that does *not* tally with the currently mapped users the agent 'resets' the node so it doesn't have either account associated.
The next time some device activity raises an AD event entry the user account is rermapped, but this does cause periods where no user is known for the device, which sounds like it could be what you're seeing?
Try playing with the timeouts, settings etc; or enable transparent NTLM auth for that source IP so it will perform an interactive authentication as that way it will force a background authentication when the kiosk machine connects to the web and should block it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!