Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefano_Cappell
Explorer

Identity awareness Users limit

Hi

Can someone help me interpret this logs?

2020-11-16 16_17_37-poller - 172.20.3.2 - Connessione Desktop remoto.png

(note that this has been filtered with the ip 10.0.4.80)

The person who is complaining about the malfunctioning Identity awareness told me that he logged into the machine 10.0.4.80 with his user and from that machine he used other credentials (that can be seen expiring alltogether at 16:53.05) to log into other machines for example in RDP. The malfunctioning that he's experiencing is that the url-filtering doesn't let him into pages permitted for his user.

 

Now it seems like those credentials have been detected by the Identity awareness and, at some point, the highlighted alert popped up (Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored).

Now I've read something about that message, and it seems to me that the outcome of reaching that threshold should not be a ban.

 

Is there anything suspicious that could have caused the reported malfunctionig or is this actually ok?

 

Thanks

0 Kudos
Reply
2 Replies
Kaspars_Zibarts
Authority
Authority

@Royi_Priov why would IA expire all 7 sessions at once there? I thought it would simply disallow 8th user IP association on the same machine.

0 Kudos
Reply
Royi_Priov
Employee
Employee

Hi @Stefano_Cappell ,

From what I understand, all the users logged in to this machine are service accounts (besides the real user).

I do recommend filtering out service accounts as it will both save GW resources and not process them, and also avoid such scenarios.

Please read about service accounts under sk86441 ("Filter-out service accounts").

 

@Kaspars_Zibarts - once we understand that more than 7 users were logged into one machine, all these identities are revoked as we are tagging this machine as MUH machine. According to our decision, having too many users (and access roles, due to that) on one machine can cause permission escalated to some of the users, and we would like to avoid that). Thanks for tagging me btw 😎

Thanks,
Royi Priov
Group manager, Identity Awareness R&D