Portal authentication logging
search cancel

Portal authentication logging

book

Article ID: 261721

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The Release Notes for Information Centric Analytics (ICA) 6.6 lists Enhanced Logging under the What's New in Symantec ICA Version 6.6, with the following description:

Enhanced authentication and account modification logging has been added to the ActivityLog table as well as added history tables to the PortalUser and PortalRoles areas.

Does ICA now log portal authentication attempts and logoff events?

Environment

Release : 6.x

Resolution

Because ICA runs as a web application on top of Microsoft Internet Information Services (IIS), it relies on IIS to process user authentication attempts by way of Integrated Windows Authentication. Successful and unsuccessful authentication attempts are logged in the IIS logs and include both account names and client IP addresses; however, it's not possible to "logoff" of IIS, so there are no logoff events to log.

When a user attempts to access the ICA portal, IIS first validates the user's Windows credentials and, if they're valid, they're then passed on to ICA. At that point, ICA checks the account against the list of portal users and privileges and grants the user access to those elements for which they have sufficient privileges (either explicitly granted to the portal user or inherited via portal group or portal role membership). Beginning with ICA version 6.6, logging for this has been added to the ActivityLog table in the RiskFabric database, as shown in this example:

SELECT TOP 5 * FROM RiskFabric.dbo.ActivityLog WHERE [Type] LIKE '%LOGIN' ORDER BY 1 DESC;

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=nw16nYA0HeWP3P3eU204Kg==

Additional Information

The following basic query will return a list of all users who have logged-in to the ICA portal within the past 24 hours:

SELECT  DISTINCT pu.Username
FROM    RiskFabric.dbo.ActivityLog AS al WITH (NOLOCK)
JOIN    RiskFabric.dbo.PortalUsers AS pu
ON      al.PortalUserID = pu.PortalUserId
WHERE   al.[Type] = 'SUCCESSFUL LOGIN'
AND     al.DateStamp > GETDATE()-1
;

This query will list the dates and times at which users have logged-in over the past n days (modify the integer passed to the GETDATE() function to adjust the number of days; the following query is passing '-7' on line 7):

SELECT   pu.Username,
         al.DateStamp
FROM     RiskFabric.dbo.ActivityLog AS al WITH (NOLOCK)
JOIN     RiskFabric.dbo.PortalUsers AS pu
ON       al.PortalUserID = pu.PortalUserId
WHERE    al.[Type] = 'SUCCESSFUL LOGIN'
AND      al.DateStamp > GETDATE()-7
ORDER BY al.DateStamp DESC
;
Powered by Wolken Software