Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cesar_Santos
Explorer

Identity Agent | Run App as admin

Hi Checkmates,

Let me share a quick question with you. So, what's the behaviour of the Identity Agent if a Domain Admin runs an Application as Administrator in a Windows session of a normal user? It will send an update to the Gateway with a new mapping of the IP and the user admin? In that case, the rules applied on the gateway will be far more distinct that if the user mapping remains with the normal user. Is there a way to exclude the Administrator user from the events of the Identity Agent logs and updates? I've searched the documentation, but I've found nothing about this. Can anyone share knowledge on this?

Thanks in advance.

0 Kudos
4 Replies
Elad_Shoval
Employee
Employee

Hi Cesar,

Are you asking about the Identity Agent or the Terminal Service (AKA MUH Agent)?

In Identity Agent, a user must authenticate with Username/Password or via Kerberos ticket. Even if the Administrator will run an app in a Windows session of a normal user, no update will be sent to the Security Gateway, because the authentication was done with the normal user credentials. 

Please let me know if you have additional questions,

 

Elad Shoval | Team Leader, Identity Awareness, Identity Clients, R&D

0 Kudos
Cesar_Santos
Explorer

Hi Elad,

This is about the Identity Agent, not the MUH.

Are you sure that if I run an application in windows as administrator, the Identity Agent will just ignore that? Because we have a customer exactly wit this problem. So, basically the the end users are working properly, with the correct rules being applied, all normal. But, if a guy of the IT team run a software as administrator and uses his admin credentials, the Identity Agent running on background will pass a new IP/user mapping to the Gateway and the applied rules will be totally different. The only workaround that we know that works is to logoff and then logon again on the windows machine, which is not practical for our end users.   

Any suggestion,

César Santos

0 Kudos
PhoneBoy
Admin
Admin

Are the admins elevating privileges when they run, say, the installer or are they doing a full desktop login to the same system?

0 Kudos
Cesar_Santos
Explorer

Hi,

The admins are elevating privileges when they install a new application, for example. It's not a full desktop login.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events