How does the Auth Connector build the IP-to-User map using Domain Controller Query (DCQ)?

book

Article ID: 225829

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The Auth connector uses either Domain Controller Query (DCQ) or AClogon script to provide default authentication for the IPsec access method.

This article explains how does the Domain Controller Query (DCQ) works and how the IP-to-User map is build using DCQ.

Resolution

Here is how the Auth connector build the IP-to-User map using Domain Controller Query (DCQ)

  • Windows workstations establish an SMB session with a DC when a domain user logs in.
  • Auth Connector query DCs for active SMB sessions.
  • At 10 second intervals, the Auth Connector will call the Microsoft API NetSessionEnum() to obtain a list of sessions.
  • Auth Connector then use LookupAccountName() and LookupAccountSid() to identify the users and their IPs from each Domain Controller that can be successfully connected to.
  • For each active session, the client IP address and username are retrieved and stored in an IP-to-user lookup table
  • The SMB sessions time out after 45 seconds.
  • Auth Connector only captures logons, not logouts. When a new user session is found on an existing IP in the table, the old entry gets removed.