Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Several pending users seen in the authentication table for AD users

0

0

Article ID: KB33137 KB Last Updated: 08 Nov 2018Version: 1.0
Summary:

At times, the authentication table for Active Directory (AD) users may show several users in pending state in an SRX4200 cluster that is running Junos OS 15.1X49-D80 or 15.1X49-D90.

This article explains why this happens and what should be done to clear the pending users in the authentication table.

 

Symptoms:

An SRX4200 cluster that is running Junos OS 15.1X49-D80 or 15.1X49-D90 reports the following issue:

The authentication table shows several users in pending state. It looks like the wmic daemon is unable to get the username for the corresponding client IP.

 
admin@srx4200> show services user-identification authentication-table authentication-source active-directory
node0:
--------------------------------------------------------------------------

Domain: customer.com
Total entries: 2906
Source IP          Username         groups(Ref by policy)        state
192.168.4.143      user_sample1         group_sample1            Valid         
192.168.4.151                                                    Pending       
192.168.4.153      user_sample2        group_sample1             Valid         
192.168.4.175                                                    Pending       
192.168.4.179      user_sample3                                  Valid         
192.168.4.184      user_sample4         group_sample1            Valid         
192.168.4.195      user_sample5         group_sample1            Valid         
192.168.4.213      user_sample6         group_sample1            Valid         
192.168.4.216      user_sample7        group_sample1             Valid         
192.168.4.217                                                    Pending       
192.168.4.237      user_sample8        group_sample2             Valid         
192.168.4.238      user_sample9        group_sample1             Valid         
192.168.4.242      user_sample10       group_sample1             Valid         
192.168.5.2        user_sample11        group_sample1            Valid         
192.168.5.3        user_sample12       group_sample1             Valid         
192.168.5.10                                                     Pending        
192.168.5.12                                                     Pending       
..."

configuration:
set services user-identification active-directory-access domain customer.com user adadmin
set services user-identification active-directory-access domain customer.com user password xxxxxxxxxx
set services user-identification active-directory-access domain customer.com domain-controller dc1 address 172.16.220.10
set services user-identification active-directory-access domain customer.com domain-controller dc2 address 172.16.80.5
set services user-identification active-directory-access domain customer.com domain-controller dc3 address 172.16.220.10
set services user-identification active-directory-access domain customer.com domain-controller dc4 address 172.16.64.4
set services user-identification active-directory-access domain customer.com domain-controller dc5 address 172.16.66.6
set services user-identification active-directory-access domain customer.com domain-controller dc6 address 172.16.64.4
set services user-identification active-directory-access domain customer.com domain-controller dc7 address 172.16.67.6
set services user-identification active-directory-access domain customer.com ip-user-mapping discovery-method wmi
set services user-identification active-directory-access domain customer.com user-group-mapping ldap base DC=customer,DC=com
set services user-identification active-directory-access authentication-entry-timeout 10
set services user-identification active-directory-access wmi-timeout 120
set services user-identification active-directory-access filter exclude 10.100.192.0/24(this uses to exclude non-windows clients)
set services user-identification active-directory-access filter exclude 10.101.192.0/24
set services user-identification active-directory-access filter exclude 10.103.192.0/24
set services user-identification active-directory-access filter exclude 10.104.192.0/24
set services user-identification active-directory-access filter exclude 10.105.192.0/24
set services user-identification active-directory-access filter exclude 10.106.192.0/24
set services user-identification active-directory-access filter exclude 10.107.192.0/24
set services user-identification active-directory-access filter exclude 10.108.192.0/24
set services user-identification active-directory-access filter exclude 10.109.192.0/24
set services user-identification active-directory-access filter exclude 10.110.192.0/24
set services user-identification active-directory-access filter exclude 10.151.192.0/24
set services user-identification active-directory-access filter exclude 10.152.192.0/24

 

Cause:

For ip-user-mapping that is not retrieved by the Windows Management instrumentation client (WMIC) from the Active Directory (AD) servers, the wmic daemon has to probe the Windows clients one by one. This may take a while and result in many pending users in the authentication table.

 

Solution:

When there are thousands of probed users, the SRX device needs a larger authentication-entry-timeout value that can be set with the following command:

set services user-identification active-directory-access authentication-entry-timeout 120

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search