Jump to content


Photo

DC Client authentication issue

dcclient dcagent msad ad

  • Please log in to reply
8 replies to this topic

#1 Brian Finley

Brian Finley
  • Members
  • 10 posts

Posted 06 June 2017 - 03:49 PM

I'm curious if I'm using the proper authentication method for my situation.

 

I've got an AD domain controller & DNS server.  I've got a few client computers on the network, and they each allow anyone with an AD account to log into them.  So there are various people that log in and out of each station.

 

Now, I have forwarding rules set up that are based on the group membership of those who log in.  For instance, someone in the domain admin group has access to things a domain user doesn't.

 

I'm using DC Client to sync the AD info.  The problem is, it only seems to sync the first person to log in.  So if a domain admin logs in and then logs out, a domain user can login and the DC Client (and the firewall) still see the admin logged in.  The firewall then lets the domain user use the domain admin authentication forwarding rules because it still thinks a domain admin is logged in, when it's really a domain user.

 

Should I be using a different method of authentication for my situation?  I need something that keeps closer eye on who's actually logged in, so I can perform checks on their AD group membership and know I'm allowing the right person access.

 

 

 



#2 Brett Frye

Brett Frye
  • Barracuda Team Members
  • 5 posts

Posted 06 June 2017 - 04:26 PM

Brian,

This should be the correct authentication method for your scenario but we may want to look at the sync intervals and the session lengths to get this report more accurately. What should be happening is when the first user logs out and the new user logs in the DC Agent should be sending the new login information to the firewall so that we are getting the current logged in user. If this is not happening we want to take a look at the session lengths and the sync intervals. Also another thing we would want to verify is the audit setting on the domain controller and also verify that the DC Client is installed on or is monitoring each Domain Controller in the Domain.



#3 Brian Finley

Brian Finley
  • Members
  • 10 posts

Posted 06 June 2017 - 05:58 PM

There is only one domain controller, and the DC Agent is installed on the domain controller. 

 

Do you have recommended settings I should try for session length and interval?

 

I currently have the sync interval set to 5 in the DC Client Server Setting.  The DC Agent currently is set to cache groups at 15 minute intervals.  If it matters, the DHCP server (on the firewall) is renewing leases every 30 minutes.

 

Where and what else should I check?



#4 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 153 posts

Posted 07 June 2017 - 04:34 AM

It is important that the User logs off completely before the Admin logs on.

Most Admins just use Switch user and Login as Admin and the original User is still logged on in the background. That may cause confusions for the DC-Agent.



#5 Manuel Huber

Manuel Huber
  • Members
  • 166 posts

Posted 07 June 2017 - 07:37 AM

I wonder why this is a problem as to my understanding only one user (the latest who logged in) is associated with a certain client IP address.

 

We actually faced the following "problem":

A user A was logged in to his work PC with his individual user. From this work PC he used Remote Desktop application to log on to Domain Controller with a Domain Admin user B. In doing so, the Domain Admin user B appeared in DC security log with the IP address of the user´s work PC. This kicked the user A out!

To my understanding this is default behaviour, so we solved it by some filters on DC Agent.

 

But now I´m curious how you managed to keep a user´s IP active through DC Agent while at the same time another user used the same IP address...



#6 Brian Finley

Brian Finley
  • Members
  • 10 posts

Posted 07 June 2017 - 11:45 AM

It is important that the User logs off completely before the Admin logs on.

Most Admins just use Switch user and Login as Admin and the original User is still logged on in the background. That may cause confusions for the DC-Agent.

 

What I did to test this is I logged my normal account in, which consists of brian.finley.  I loaded up NGAdmin and pulled up the firewall history and filtered for the IP address of the computer I was on.  As expected, there was recent traffic from my IP address, and the user was listed correctly, as brian.finley.

 

Then I signed out (completely), and loaded up using my admin credentials.  I then loaded NGAdmin again and checked the traffic on my IP address in the firewall history again.  Instead of seeing my admin account in the 'User' column, it still had brian.finley.



#7 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 153 posts

Posted 08 June 2017 - 08:10 AM

Hi Brian,

the login event at the DC should be recognized by the DC-Agent and latest after 5s the Firewall receives the new user at this IP and overwrites the old user.

 

Did you also check in the Firewall/Users Tab or the DC-Authentication Service in Logs/Box/Control if the DC-Agent has got the Info from the DC-Agent ?
Otherwise you might have to turn debugging on at the DC-Agent.

 

I saw once at a customer site in the firewall history that some pakets where shown with the old user, then a few without any user and then the correct user.

But i din't check the time it took and i also had up to now no time to investigate that further.

 

Anyway, if you can reproduce the problem, then it is the best to open a Case with Barracuda and let us know what was the reason why it did not work as it should have.



#8 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 153 posts

Posted 08 June 2017 - 09:48 AM

I wonder why this is a problem as to my understanding only one user (the latest who logged in) is associated with a certain client IP address.

 

We actually faced the following "problem":

A user A was logged in to his work PC with his individual user. From this work PC he used Remote Desktop application to log on to Domain Controller with a Domain Admin user B. In doing so, the Domain Admin user B appeared in DC security log with the IP address of the user´s work PC. This kicked the user A out!

To my understanding this is default behaviour, so we solved it by some filters on DC Agent.

 

But now I´m curious how you managed to keep a user´s IP active through DC Agent while at the same time another user used the same IP address...

 

Hi Manuel, what did you filter ? On the Administrator Username or something else ?



#9 Brian Finley

Brian Finley
  • Members
  • 10 posts

Posted 13 June 2017 - 04:12 PM

Hi Brian,

the login event at the DC should be recognized by the DC-Agent and latest after 5s the Firewall receives the new user at this IP and overwrites the old user.

 

Did you also check in the Firewall/Users Tab or the DC-Authentication Service in Logs/Box/Control if the DC-Agent has got the Info from the DC-Agent ?
Otherwise you might have to turn debugging on at the DC-Agent.

 

I saw once at a customer site in the firewall history that some pakets where shown with the old user, then a few without any user and then the correct user.

But i din't check the time it took and i also had up to now no time to investigate that further.

 

Anyway, if you can reproduce the problem, then it is the best to open a Case with Barracuda and let us know what was the reason why it did not work as it should have.

 

 

Maybe the issue might be caused by me being logged into more than one spot?  I checked the user listing and my admin account is shown as being logged into a couple other IP addresses (on other client workstations on the network). I really am logged in onto those other systems as well.

 

I took a laptop and turned it on, and logged in a test user (that wasn't in the user listing at all), and the DC Agent log immediately showed the test user login and IP address of the laptop.  Then I signed out of the account, logged in my admin user and the DC Agent did not show anything in the log.  The test user stayed in the listing for the laptop's IP address.

 

So DC Agent is communicating, because it showed the test user hitting the DC Agent log a fraction of a second after hitting the ENTER key to log the account in.  But it didn't show anything when I logged in my admin user.