You can enable Identity Mapping on the NIOS appliance to provide Active Directory domain user information if the NIOS appliance is connected to a Microsoft server. This feature supports Active Directory domains whose domain controller is running the supported Windows server. For more information on supported windows versions, see 26776336 Supported Windows Versions.
Note that Identity Mapping is not supported for the Windows 2003 server and earlier editions. Note that Identity Mapping is not supported on the IB-VM-810 and IB-VM-820 appliances.
Each network user being mapped can use different devices to access the Windows environment. So using the identity mapping feature and synchronizing all Microsoft servers on the Infoblox appliance provide visibility of user interaction with their environments. By enabling this feature, you can monitor Active Directory domain users, the IP addresses they log on to, the login status, and the time duration of their current status in the IPAM tab.
To view user information, you must first enable this feature at the Grid level. You can enable this feature even when you have not installed an MS Management license on the appliance. However, you cannot configure DNS, DHCP, and Active Directory sites synchronization unless you install an MS Management license on the appliance.
When you enable this feature, the appliance remotely communicates with all synchronized Microsoft servers (Domain Controllers, an Exchange server, or a domain member) to pull event logs. The identity mapping information displayed is as accurate as these event logs are available in the Microsoft authentication logs. Therefore, it is necessary to assign Grid members to Microsoft servers to collect user information from Windows event logs. For information, see Assigning Grid Members to Microsoft Servers.
| Note | ||
|---|---|---|
| ||
The identity mapping information displayed on NIOS completely depends on live event logs that are available on the Microsoft servers. The appliance pulls event logs incrementally. So subsequent requests pull only the latest logs since the last successful synchronization. To avoid data loss, depending on the expected activities, you must consider the size of the event log file on the Microsoft server and how often you want to synchronize the data with the appliance before the event log file rolls over. |
...
...
Prerequisites on the Microsoft Server
You must enable event logs on the Microsoft server for the Identity Mapping feature to function properly. To enable event logging on Microsoft servers, refer to https://technet.microsoft.com/en-us/library/dd941595%28v=ws.10%29.aspx.
The identity mapping information is collected successfully only when the Microsoft users belonging to a Domain User group and Event Log Reader group start a RPC session and access MS-EVEN6. The synchronization process is successful when they have this permission. The synchronization process fails unless appropriate permissions are granted. The failed operations are logged in the Microsoft logs. The NIOS appliance tries to collect user information again in the next synchronization.
...
Administrative Permissions
Only superusers can view identity mapping information. Limited-access admin groups can view identity mapping information only if they have network permissions. For example, if the users have permissions to only DNS zones, they may not be able to view identity mapping information because they do not have network permissions. The appliance does not display a warning message if admins do not have correct permissions. For information about network permissions, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
...
...
About User Sessions
A user session is an abstract concept to specify a single user logging with a network address for a finite period of time. A user session starts when a Kerberos account authentication event or login event is received and ends when a logout is received, although such an event may never be received. In such cases, a session is considered to be timed out. Network user associations are unique for a finite period of time. A single login involves a number of login and logout events. In order to consolidate and improve system performance, Infoblox uses the concept of consolidation window. If a login event or Kerberos service ticket is received within the consolidation window, then that session is considered as an extension from the previous session. If a login event is received outside this window, it is considered as a new session. The number of network users you see depends on the length of the consolidation window.
For example, consider the following sample events occurred on the Microsoft server when the consolidation window is set to 10 minutes:
...
Login Scenarios | Appliance Displaying User Mapping Information |
|---|---|
Mobile user logging in to the Microsoft Exchange server | Note that you must first synchronize both the Domain Controller and Microsoft Exchange server with the appliance to get user mapping information for this scenario. For this example, two entries are displayed.
|
Multiple users from the same IP address | Appliance displays separate entry (user name and IP address) for each user. |
Same user from multiple IP address | Appliance displays separate entry (user name and IP address) for each user. |
...
...
Login and Logout Timestamps
Note that all timestamps are displayed in the time zone of the admin account that you use to log in to the appliance. There is a possibility of missing the login and logout events as described in the following cases:
...
To maintain accuracy, the login timestamp is estimated as logout timestamp minus (-) the idle timeout. However, when a login or Kerberos Authentication event is received, the login timestamp is updated to the value available in the Kerberos authentication event or the login event.
To maintain accuracy of the logout time data, the appliance allows you to configure the length of idle time in the Grid Properties Editor wizard. After this time interval, the status of the user changes to Timed Out. For information about how to set timeout length, see Configuring Active User Timeout Session.
| Note | ||
|---|---|---|
| ||
The Timed Out and Logged Out user information is periodically removed from the database. |
...
Viewing Active Directory User Information
To view Active Directory user information, you must first enable identity mapping feature at the Grid level. For information about enabling Identity Mapping feature, seesee Enabling Identity Mapping. After you enable the identity mapping feature, you must synchronize the appliance with all Microsoft servers in order for the appliance to gather user and device mapping information from the Microsoft servers. You can view Active Directory user information in the Network Users tab. For more information, see Viewing Active Network Users.
To synchronize the appliance with Microsoft servers:
- From the Grid tab, select the Grid Manager tab, and then select Grid Properties -> Edit from the Toolbar.
- Select the Microsoft Integration tab in the Grid Properties Editor wizard, and complete the following:
- Synchronize Network Users with all MS servers: Select this checkbox to synchronize users with all Microsoft servers that are managed by the Grid in order for the appliance to gather user and device mapping information from the Microsoft server authentication logs. You can override this value at the Microsoft server level.
| Note | ||
|---|---|---|
| ||
On an Infoblox appliance, the Enable Network Users Feature and Synchronize Network Users with all MS servers options are disabled by default for all new installations. |
...