The user wants to perform a RDP session from the device they are logged onto, to a device that needs to be remotely accessed.
The User-ID Agent (software or hardware) captures the logon user that is used to authenticate to the remote desktop window.
Shown below is an explanation of the process in an example scenario:
User1 is logged onto the 10.10.10.10.
During authentication, a security log is generated on the Domain Controller.
The UI agent picks up the logs and the firewall creates the mapping of user1 ---> 10.10.10.10
User user1 creates an RDP session to the 10.10.20.20
The user authenticates with the user user_admin
During authentication, a logon event is created for the user user_admin coming from the 10.10.10.10 IP address,
This event creates the mapping of user_admin ----> 10.10.10.10,
Since the firewall can hold only one mapping for one IP address, the user changes the mapping for the 10.10.10.10.
When the user disconnects from the remote session of 10.10.20.20, since the log-off events are not relayed to the User-ID process, the mapping user_admin ----> 10.10.10.10 stays valid on the firewall so if there is a policy that is using the user1 as a reference, that policy will be missed.
This behavior is by design, and since it is relaying on the logon logs only from the windows domain controller, the last logon event stays in the IP-User mapping table.
To work around this behavior, users have two options:
Use the same account to create the RDP session (user1).
If an administrative account is needed to escalate privileges (user_admin), then add that user to an exclusion list.