Running reports on users across different Windows domains

book

Article ID: 166875

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

With IWA authentication enabled on the proxy, it's possible to have users authenticating to multiple Windows domains.

By default, in Reporter you only see the usernames, with no way to differentiate between the different domains.
This also potentially results in data for two different users being combined into a single report.

For example, if you have the following domain name and user name combinations, the data for "user1" will appear combined:

DOMAIN1\user1

DOMAIN2\user1

 

 

Resolution

PLEASE NOTE: 

  • This modification will cause any LDAP-enabled report filters and roles to cease functioning.
  • LDAP filters rely on a simple username being present in the access logs, rather than the full username including the domain name.

In order to see the usernames in "Domain\user" format in Reporter, the access log format on the ProxySG needs to be modified to use the "cs-user" instead of "cs-username" field.

Create a new access log format using "cs-user"

  1. Log into the ProxySG management console by going to https://<proxy-IP>:8082.
  2. Go to Configuration tab and navigate to Access Logging > Formats.
  3. Choose the "bcreportermain_v1" format and select Edit / View.
  4. Copy the entire ELFF string into the clipboard and select Cancel.
  5. To create a new access log format, select New.  Clear the existing ELFF string and paste in the copied string.
  6. Find the cs-username field and change it to: cs-user.
  7. Choose a new name for the new access log.

Next, the access log that is being sent to Reporter needs to be configured to use the new format that you just created:

  1. Navigate to Access Logging > Logs and select the General Settings tab.
  2. From the Log drop-down list, choose the access log that's being uploaded to Reporter.
  3. Choose the new format from the Log format drop-down list, and click Apply to save the changes. Accept the warning that appears.

After these changes are complete, Reporter will begin to receive the logs with the new format, and user names appear with the "Domain\username" format in Reporter.

This change enables you to use the "User" report filter to separate different domains and also identical usernames under different domains.

NOTE:  The username change will not retroactively apply to any data that's already in Reporter. For clarity, you may want to clear out your current database to avoid having a mixture of username formats in it.

See 000010417 for more information on rebuilding the database without losing any custom reports.