Windows User-ID Agent is Sending Wrong Domain in IP-User-Mappings

• ip-user mappings with incorrect domain were showing up on the firewall intermittently.
• The user in question was not part of the domain and got mapped incorrectly to the wrong domain.
• The logs can be viewed on the Windows User-ID agent under UaDebug.log after enabling logging level to verbose:

Debug  412]: Server Session: FAYEMIDO \\10.196.128.142
Verbo 1503]: NormalizeUser_n returns thanos\fayemido
Debug  398]: UserIpMap: IP 10.196.128.142 login name gets changed from fayemido@legal.mary.net to thanos\fayemido with timeout 28800.
Debug 1409]: Adding ip to chg tbl 10.196.128.142 for Add (is_user=ture)

• Palo Alto Firewalls
• Supported PAN-OS versions
• Windows User-ID agent
• Multi-domain environment

• Windows User-ID Agent (UIA) was deployed on a server that was part of Domain A; however it was also monitoring Domain Controllers (DC) that are part of Domain B.
• Windows UIA will get a domain map from either of the DCs it monitors.
• This domain map can cause incorrect domain being associated with users that are not part of the domain while generating ip-user mappings on Windows UIA.

Deploy Windows UIA on servers or computers that are part to the same domain they are intended to pull mappings from.

Step 2 in Admin Guide: Install the Windows-Based User-ID Agent

First line in Resolutions steps of this KCS article:  User-ID Agent Setup Tips