User loses privileges...UserID

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

The problem you're having (user explotacion getting mapped to your local ip address) is perfectly clear. And like I said before: This is excpected behaviour because a logon event is logged. And no, we are not talking about the fact that user explotacio is logging on to the server, we are talking about "a" Windows logon event.

Check the security log in event viewer: you'll find thousands of logon events, that have nothing to do with a user logging on (entering username/password) to a computer.

The security log on a DC is the source PaloAlto uses to collect these events, since they contain the user and an ip....

After having logged on to the server, almost any action you do locally (like browsing in Windows Explorer, opening an application) will trigger a logon event that should eventually be picked up by UserID. On the conditions that you are in fact in a domein environment (the logon event is checked by the DC) and UserID interval is short enough.

Highlighted
L4 Transporter

I dont know why it should affect me in my local machine that I connect to other pc with other user by RDP and when i close this session i dont recuperate my privileges. In the moment that i connect to another machine via RDP with any user i get the privileges of this user in my local machine....... this is a weird behaviour....

Highlighted
L4 Transporter

Please understand that this actually has nothing to do with the RDP session.

This is standard Windows behaviour in a Windows domain: Your DC is the only "authority" that determines whether or not you have access to a resource. This is the logon even I'm talking about.

Nothing you do in PaloAlto config wil change that behaviour. All PA does is read that info.

Highlighted
L4 Transporter

Hello,

This behavior is expected, UserID does ip-user-mapping based off of the Windows Security logs and when a user RDP's to a machine, Windows logs the security event based on the IP of the PC that initiated the RDP.

The only workaround for this to add the username: oalgt\ explotacio in the ignore users list. This is not an issue with the firewall or the agent.

Refer:

https://live.paloaltonetworks.com/docs/DOC-2893

Hope that helps,

Aditi

Highlighted
L4 Transporter

And what would happen with the users whos has 2 inbox in their exchange??? it happens the same for them??

Highlighted
L4 Transporter

Depends on how they log on.

Does the user have full access permission to the 2nd mailbox ? If so, you can make everything work with the same credentials.

Or does the 2nd mailbox actually require logging on to it ? If so, you again have a logon event that will be picked up by UserID.

In a AD environment, using different logins to different resources, is not really best practice for me. Give a user one account and make sure he can access whatever resource he needs with that account. You shouln't bother your users with several logins.

Obviously this doesn't apply to users who do administrative tasks, where the admin account should be strictly separate from their everyday user account.

I hope you get it sorted out...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!