Important If you are on version 8.4 or higher, or already have the 8.2 or 8.3 hotfix installed and DC Agent is not identifying users as expected, see DC Agent for 8.4 and Higher Troubleshooting.

 

Some organizations using DC Agent for user identification with any Forcepoint web security solution may discover that some users' policies may not be correctly applied after the installation of MS16-072 (released in June 2016; KB3159398). This occurs because the Windows update interferes with DC Agent's ability to add information to the user map. This update may cause issues when applied to the TRITON management server, domain controllers, and/or user workstations.

If you use DC Agent for user identification – either as the primary or a backup method for proxy authentication or Logon Agent, please be aware of the following situations in which DC Agent can be affected adversely:

• Microsoft Windows update MS16-072 impacts the way user logons create net sessions. As a result, DC Agent may no longer be able to obtain the user information as consistently as it did prior to the Microsoft update. See the help topic How DC Agent identifies users for more information.

• Users not performing daily network logons -- or not performing other network actions that create a logon session on a Domain Controller -- can impact DC Agent's performance. DC agent relies on a logon session being present on a domain controller throughout the agent polling interval (default is every 10 seconds).

• DC Agent can also be adversely affected by network adapter changes. This includes a change from wired to wireless, or a change to a VPN.

Mitigation Strategies

Consider these mitigation tactics to initiate end-user logon sessions:

• Ensure users perform an interactive logon/logoff daily.
• Use the Microsoft command net use %logonserver% to create a logon session. If this method works, a script can be created to run this command every time users unlock their computers. See https://superuser.com/questions/615114/how-to-make-a-window-task-run-everytime-i-enter-my-password-unlock-the-computer.

Consider these mitigation tactics to ensure the correct policy is used when users cannot be identified:

• If you use static IPs, you can assign policies by IP under Clients in TRITON Manager so that users receive their correct policy.
• If you use dynamic IPs but have defined a specific IP range in DHCP for a group that uses the same (non-default) policy, you can add this IP range under Clients in TRITON Manager so that these users receive the correct policy.

Reliable Alternatives to DC Agent

At organizations that encounter any difficulties with DC Agent,the following alternatives are highly effective:

• Logon Agent (see deployment documentation)
• Proxy Authentication (see deployment documentation for Integrated Windows Authentication)

 

To determine whether the DC Agent issue is caused by the Windows update, first verify whether Microsoft Windows update MS16-072 (kb3159398) is installed.

Determine whether Microsoft Windows update MS16-072 (kb3159398) is installed

On each server that hosts TRITON Manager, DC Agent, or a Domain Controller:

1. Open Control Panel.
2. Click System, and then click Windows Update.
3. Click View Update History, and then click the Installed Updates link.
4. Allow Control Panel time to populate the list. After the list is complete, type kb3159398 in the Search Installed Updates bar at the top left.

If the update is installed, continue with the next actions described below for your installed version.

For version 8.4

Please review the notes under "About the hotfix" later in this article to ensure that your installation provides correct rights for directory object authentication. If Domain Admin is not already in use, Event Log Readers will need to be added to the domain Member of for the service account. See the instructions later in this article.

For version 8.3

1. Download the hotfix V8.3.0 HF03 Adds DCAgent Support For MS3159398 (log on required).
2. Install the hotfix on every Windows Server where DC Agent is installed. Refer to notes in "About the hotfix" later in this article.

For version 8.2

1. Download the hotfix V8.2.0 HF 14 Adds DC Agent Support for MS3159398 (log on required).
2. Install the hotfix on every Windows Server where DC Agent is installed. Refer to notes in "About the hotfix" later in this article.

For versions 8.1 or earlier

Please either:

1. Deploy a suggested alternative user identification method. See "Reliable Alternatives to DC Agent" earlier in this article.
2. Upgrade to version 8.2 or later and apply the hotfix.

About the hotfix

The hotfix makes these changes:

• Updates the authentication method from NetSession to Event Log.
• Updates transid.ini or ensures that is it created if it doesn't already exist after installation. See the hotfix readme file for configuration and settings details.
• Ensures that the service account used for DC Agent must have Event Log Readers group permissions added from the domain as well as User Service. If you are using a Domain Admin account, Event Log Readers should already be part of membership.

To ensure the hotfix functions correctly, ensure that all of the following conditions are true on each DC Agent server where the hotfix is installed:

1. In Active Directory, the service account for DC Agent's service logon has Event Log Readers added to Members of.

2. On the Domain Controllers, ports 135 and 49153 is accessible.

3. The transid.ini file exists in the bin folder. If it does not exist, create it with:
   [DCAgent]
   UseEventSubscriber=true

4. In TRITON, the best practice is for Directory Services > Domain Controllers to be set by IP address instead of hostname. If hostname is used, it is possible that DC Agent will fail to connect.

5. If DC Agent does not retrieve any events, or does not retrieve "Success" from Event Viewer:

   1. Open Control Panel > Administrative Tools > Group Policy Management.

   2. Navigate through the drop downs to Domain Controllers > Default Domain Controllers Policy. Right-click Default Domain Controllers Policy, and then select Edit.

   3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon.

   4. In the box on the right, enable the Success option for both Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations. For both Kerberos options, right-click Properties, then enable Configure the Following Audit Events. Select the Success option and press OK. 

   5. Allow several minutes for this change to take affect before trying again.

6. Reboot the server where DC Agent is installed. Users should begin to populate on the map immediately. Testing overnight as users fall off the map is suggested.

Note In TRITON, if your Domain Controllers under Directory Services are set by hostname instead of IP address, it is possible that DC Agent will fail to connect. It is best practice to use IP addresses instead to prevent this conflict.

Remember that some users will not be identified and will appear only as IP addresses when not authenticated with Active Directory:

• Users on a Mac OS
• Users on a Linux OS
• Users on a wireless device such as a phone or a tablet
• Guest users
• Other devices on the network that do not have Active Directory credentials that may call out to the internet

Keywords:
UA; user identification; directory services; DCAgent; xid; dc agent; authentication; windows update; policy; MS16-072; 8.4