Jump to content


Photo

Wrong user detected


  • Please log in to reply
24 replies to this topic

#1 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 21 June 2013 - 04:35 PM

My webfilter is detecting me as the wrong authenticated user and is blocking my web traffic. The web filter is detecting me a one of my domain service accounts that we use for random jobs. Any idea why that account is being picked up over my actual user account that I am logged into the pc with?



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 21 June 2013 - 05:05 PM

Absolutely jody,

Your workstation is using an IP address that the previous person you appear authenticated as did. We have some articles on this if you contact support to discuss!

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 21 June 2013 - 05:08 PM

Sorry but I don't agree. I have a static IP set on my workstation and has been since I built it (several months). This issue has just started happening in the last couple days. Also, it is detecting a service account. The account is never actually used to logon to a pc. The account is only used to run scans of install software in case the logged on user doesn't have the privileges needed.

#4 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 21 June 2013 - 05:15 PM

Oh then I apologize for my initial guess :)

please call in so we can investigate!

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#5 Bryson Anderson

Bryson Anderson
  • Members
  • 1 posts

Posted 25 June 2013 - 01:41 PM

We have experienced the exact same issue more than a few times. Support verified LDAP is setup correctly. Support had me change the "Apply Session parameters to DC Agent/eDirectory logins" under the User/Groups->Configuration tab to "yes".

The tech also offered up the DHCP/IP change which was untrue and I disagreed with as well. I personally don't believe the change he had me make will have any affect.

Mathew, can you post links to the articles you mentioned? Thanks!

#6 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 25 June 2013 - 01:56 PM

Since this is a very common scenario we've run into in the past, we have a knowledge base article on it.

https://www.barracud...60000000HbDBAA0

I am glad to hear your scenario was resolved as well!

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#7 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 25 June 2013 - 01:58 PM

Tech also went through the steps to verify LDAP was working with us. He made no mention of any settings to try on the Web Filter itself. They had me revert the DC Agent from 6.0 back to 4.6. Still having the same issues. Tech has said that the agent is only reporting what the DCs show and that they could do nothing more to help.

#8 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 25 June 2013 - 02:00 PM

From the case notes, the conclusion is that there are logon events picked for that IP on different DCs at different times, with different user names... therefore, traffic log will show the user that was picked at that specific moment.

There is no way to avoid this except to maybe limit what Domain controllers handle logon/logoff events for your user pool

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#9 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 25 June 2013 - 02:01 PM

Link posted by Mathew are really only if you use DHCP and are having this issue. I am set to a static IP and still experiencing the issues stated above. I understand Barracuda's side of this case. I just have to figure out how/why my pc is hitting several DC's with different usernames. I have no processes or services that run under any domain accounts. Just frustrating at the moment.

#10 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 25 June 2013 - 03:22 PM

some further points that may be causing these issues:

· Does each Domain Controller sit at different sites?
· Does each site have its own unique IP range?
· Are they any possible overlap of IPs between each site?
· Do users at each site authenticate specifically to that DC agent at its own site?
· Do they have any programs within their desktop that might use an LDAP credential to use a service that is not their own login? We would need to see if this service would create an login event.

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#11 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 01 July 2013 - 09:46 AM

I have 5 domain controllers: 2 at each main campus and 1 at a satellite campus
All sites have uniques IP schemes
no IP overlap possible
Yes
No

#12 Jim Flynn

Jim Flynn
  • Members
  • 1 posts

Posted 03 July 2013 - 06:22 PM

I work with Bryson; we are still experiencing this issue after the change suggested by support. We have three domain controllers in one site with several different IP ranges/VLANs.

#13 Brad Hiemstra

Brad Hiemstra
  • Members
  • 5 posts

Posted 08 December 2015 - 10:33 AM

Why are there so many posts about issues like this that never have a solution. They just drop off. I am having similar issues, and need some answers. I guess I should just scroll to the bottom of every post so I don't waste my time anymore.



#14 A Savage

A Savage
  • Members
  • 1 posts

Posted 11 April 2017 - 06:02 AM

No answers to this yet? We have an admin who is being detected as a normal user. We have two DCs at the same site. Her IP is static. There is really no reason this should be happening that I can see.



#15 Stefan Holzweber

Stefan Holzweber
  • Barracuda Team Members
  • 36 posts

Posted 11 April 2017 - 10:29 AM

Hello Angela,

 

usually this happens when LDAP is configured to authenticate users.

With LDAP authentication the Barracuda links the username with the IP address.

So when you have a terminal environment where multiple users getting linked with one IP address - then it might show a different user.

 

As with LDAP the user does not get logged out directly when the user leaves the workstation, it might also happen during the day when there are different users logging into the client that it shows a different one.

 

Under "User/Groups" > "Configuration" you can modify the session parameter to kick the users when they are idle or session length exceeded.

 

For terminal environment we recommend to use NTLM or Kerberos:

https://campus.barra...ChooseAuthType/

 

 

 

As the above is just what I expect it must not match with your issue.

Please feel free to contact support so we can take a look specific into your issue!

 

Thanks

Stefan



#16 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 11 April 2017 - 10:54 AM

I have also seen this when a scan is being performed on the workstation with a user logged in.  For instance, user A is logged in and everything is working fine, I start a background scan to get machine information using a service account.  The Web filter immediately "sees" the service account as the logged in user and starts incorrectly applying policies to User A.  The only I have found to correct this is to have User A logout and back in.



#17 Stefan Holzweber

Stefan Holzweber
  • Barracuda Team Members
  • 36 posts

Posted 11 April 2017 - 11:14 AM

Hi Jody

 

in this scenario when you connect with a service account to another workstation, I would recommend to exempt the service account user from authentication.

You can do this under "User/Groups" > "Authentication" on the bottom of the page.

 

This way ONLY user A is authenticated against the client even when there is a service account also connected to the device.

 

Regards

Stefan



#18 Jody Gosnell

Jody Gosnell
  • Members
  • 128 posts
  • LocationAlabama

Posted 11 April 2017 - 11:19 AM

Will the web filter then always "see" user A as logged in or will it switch to an "unauthenticated" user and still apply the incorrect policies?



#19 Stefan Holzweber

Stefan Holzweber
  • Barracuda Team Members
  • 36 posts

Posted 12 April 2017 - 01:12 AM

when the service account connects to the same machine as user A - the service account does not get authenticated - only user A is linked with the IP - the webfilter sees user A for all traffic from that IP.

so it will apply the correct policies



#20 Cody Case

Cody Case
  • Members
  • 3 posts

Posted 24 May 2017 - 11:43 AM

when the service account connects to the same machine as user A - the service account does not get authenticated - only user A is linked with the IP - the webfilter sees user A for all traffic from that IP.

so it will apply the correct policies

How long does it take for this to go into effect? Or do we have to power cycle the web filter? We are having this exact issue. I have configured the service account as an "unauthenticated" user but I am still seeing the service account show up in the web log every few seconds when it should be the actual user logged on to the machine after 10 minutes. Please advise.