- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-18-2024 01:43 AM
Hi,
We have a really strange issue and hoping someone can help!
We are using Windows User-ID agents to query our domain controllers only for security events for user to ip mapping, we are not using the firewall native User-ID engines. We currently have x4 User-ID agents deployed on our on-premises hosting environments using VMware. These work without issue, they are running version 10.2.3-103 inline with our current code train on the firewalls themselves. When I check the discovered users we can see the username with the NETBIOS name included, for example DOMAIN\Joe.Bloggs.
We need decommission x2 of the on-premises User-ID Agent servers and build replacement servers in Azure to cover these and maintain resiliency. I have built these servers, they are running server 2022 which is a supported OS of the Windows USer-ID Agents, installed 10.2.3-103 User-ID agents on them as per the on-premises servers. However, for some reason domain normalization is not working on these servers, they are querying the EXACT same domain controllers as the two User-ID agents on-premises that we are decommissioning. The domain controllers are all showing as connected on the agent, I can see no denied traffic through our Azure firewall to the domain controllers from the agents and the other config elements are setup in the exact same way (access to event logs on DCs and account in use for authentication etc.). The users are being mapped to IP addresses but the NETBIOS name is not included on any account, they are all just Joe.Bloggs and not DOMAIN\Joe.Bloggs. We had this exact same issue early last year when we tried the same but we didn't need the servers in Azure back then so we just stood down as we had limited time to resolve issues.
It's so strange, in the logs I am seeing the following: (DC and domain changed only but these are verbose logs as I have them on servers)
03/18/24 08:04:46:220[Verbo 349]: LOGON_SUCCESS_W2008(4624) from DC-EXAMPLE-01: #of fields:27 DC.EXAMPLE.NET\Joe.Bloggs 10.10.10.10 Mon Mar 18 08:04:43 2024
03/18/24 08:04:46:22003/18/24 08:04:46:220[Verbo 1082]: DomainNormalize returns
03/18/24 08:04:46:220[Verbo 1508]: NormalizeUser_n returns Joe.Bloggs
As per the highlighted section, it's as if it finds the user with the correct domain FQDN but then the normalize does not work and just blanks out.
Hoping someone can help! Let me know if you need more info but I think that's the lot. This is certainly something unique to hosting User-ID agents on Azure VMs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!