Palo Alto Networks Knowledgebase: Why Are Some Users Not Identified by the User-ID Agent?
Why Are Some Users Not Identified by the User-ID Agent?
Created On 09/26/18 13:50 PM - Last Updated 02/07/19 23:47 PM
A number of reasons explain why users are not being identified by User-ID Agent even though they are logging into the Active Directory domain. The two most common reasons are:
Not all of the Domain Controllers are in the list of servers under User Identification > Discovery.
If there are five Domain controllers but only one is in the list on the User-ID Agent, then any user who is authenticated by any of the four other domain controllers (not in the list) will not be identified.
Another common reason is the User Name > IP mapping expires on the agent after the initial mapping is created.
User-ID cache timeout is set to 45 minutes.
If 45 minutes pass and the the user in question does not happen to trigger any events the agent is looking for in the security logs (672, 673, 674, 4768, 4769, 4770), the IP mapping can expire and be removed from the table.
A common workaround is to increase the cache timeout value or enable "WMI Probing" under Client Probing.
WMI probing probes each IP in the table to confirm which user is logged in and to reset the TTL for that mapping.
Make sure the workstation firewall allows the WMI connection and the service account running the User ID Agent has permission on the workstation in question.