If you log into a remote host usingRemote Desktop Protocol (RDP), and the remote username is different than your user, FireSIGHT System changes the IP address of the user that is associated with your IP address on the FireSIGHT Management Center. It causes change in permissions for the user in relation to Access Control rules. You will notice incorrect user is associated with workstation. This document provides a solution for this issue.
Cisco recommends that you have knowledge on FireSIGHT System and User Agent.
Note: The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This issue occurs due to the way Microsoft Active Directory(AD) logs RDP authentication attempts to the Windows Security Logs on the Domain Controller. AD logs the authentication attempt for the RDP session against the originating host IP address rather than the RDP endpoint you are connecting to. If you are logging into the remote host with a different user account, this will change the user associated with your original workstation's IP address.
To verify this is what is occurring, you can verify that the IP address from the logon event from your original workstation and the RDP remote host have the same IP address.
To find these events, you will need to follow the below steps:
Step 1: Determine the Domain Controller that you host is authenticating against:
Run the following command:
C:\Users\WinXP.LAB>nltest /dsgetdc:support.lab DC: \\Win2k8.support.lab Address: \\192.X.X.X Dom Guid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX Dom Name: support.lab Forest Name: support.lab Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS 0x4000 The command completed successfully
The line that starts "DC:" will be the name of the Domain Controller and the line that starts "Address:" will the IP address.
Step 2: Using RDP log into the Domain Controller identified in Step 1
Step 3: Go to Start > Administrative Tools > Event Viewer.
Step 4: Drill down to Windows Logs > Security.
Step 5: Filter for the IP address of your workstation by clicking Filter Current Log, clicking the XML tab, and clicking edit query.
Step 6: Enter the following XML query, substituting your IP address for <ip address>
Complete these same steps after logging in via RDP and you will notice that you will receive another logon event(Event ID 4624) with the same IP address as shown by the following line from the logon event XML data from the original logon:
To mitigate this issue, if you are using User Agent 2.1 or above, you can exclude any accounts that you will be using primarily for RDP in the User Agent Configuration.
Step 1: Log into the User Agent Host.
Step 2: Launch the User Agent user interface.
Step 3: Click on the Excluded Usernames tab.
Step 4: Enter all usernames you wish to exclude.
Step 5: Click Save.
Users entered in this list do not generate logon events on the FireSIGHT Management Center and are not be associated to IP addresses.