This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Windows User-ID Agents in Azure - Domain Normalization Not Working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows User-ID Agents in Azure - Domain Normalization Not Working

SonnyHerriott
L0 Member

‎03-18-2024 01:43 AM

Hi,

We have a really strange issue and hoping someone can help!

We are using Windows User-ID agents to query our domain controllers only for security events for user to ip mapping, we are not using the firewall native User-ID engines. We currently have x4 User-ID agents deployed on our on-premises hosting environments using VMware. These work without issue, they are running version 10.2.3-103 inline with our current code train on the firewalls themselves. When I check the discovered users we can see the username with the NETBIOS name included, for example DOMAIN\Joe.Bloggs.

 

We need decommission x2 of the on-premises User-ID Agent servers and build replacement servers in Azure to cover these and maintain resiliency. I have built these servers, they are running server 2022 which is a supported OS of the Windows USer-ID Agents, installed 10.2.3-103 User-ID agents on them as per the on-premises servers. However, for some reason domain normalization is not working on these servers, they are querying the EXACT same domain controllers as the two User-ID agents on-premises that we are decommissioning. The domain controllers are all showing as connected on the agent, I can see no denied traffic through our Azure firewall to the domain controllers from the agents and the other config elements are setup in the exact same way (access to event logs on DCs and account in use for authentication etc.). The users are being mapped to IP addresses but the NETBIOS name is not included on any account, they are all just Joe.Bloggs and not DOMAIN\Joe.Bloggs. We had this exact same issue early last year when we tried the same but we didn't need the servers in Azure back then so we just stood down as we had limited time to resolve issues.

 

It's so strange, in the logs I am seeing the following: (DC and domain changed only but these are verbose logs as I have them on servers)

03/18/24 08:04:46:220[Verbo 349]: LOGON_SUCCESS_W2008(4624) from DC-EXAMPLE-01: #of fields:27 DC.EXAMPLE.NET\Joe.Bloggs 10.10.10.10 Mon Mar 18 08:04:43 2024

03/18/24 08:04:46:22003/18/24 08:04:46:220[Verbo 1082]: DomainNormalize returns

03/18/24 08:04:46:220[Verbo 1508]: NormalizeUser_n returns Joe.Bloggs

As per the highlighted section, it's as if it finds the user with the correct domain FQDN but then the normalize does not work and just blanks out.

 

Hoping someone can help! Let me know if you need more info but I think that's the lot. This is certainly something unique to hosting User-ID agents on Azure VMs.

0 Likes Likes
0 REPLIES 0
  • 259 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks