Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Ironport getting machine name instead of AD user

Unanswered Question
Jun 21st, 2012
User Badges:

This week we started getting problems from users being rejected by the Ironport S650.    This was after correcting a misconfiguration that had the final policy allowing access instead of a global BLOCK access.    What we found was that user's were sending the machine account instead of the user's AD account name.    We did find some hits on allowing winupdate, etc that the machine apparently attempts on bootup and did that.   We are still seeing the problem.    One user especially, starts on wireless OK for <1hr, no access for 18 min. (timeout is 15 min) and the next request sends the machine name.   User switches to a wired connection and sends AD user name.    Then there is a 8 minute break and the user is sending the machine name again.    This is happening for about 6 users out of 900.   Is there anyway to get the Ironport to ignore machine accounts (no $@AD allowed?)

We are on 7.1.3-014 on the Ironport, AD is 2008R2. users are XP and Windows7

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jenmorto Thu, 06/21/2012 - 09:42
User Badges:

If you are able/willing to move to 7.5, there's a new feature that allows you to define a timeout value for how long the WSA uses the machine credentials. After the timeout, it prompts users to enter their own credentials.  This is a way to work around Windows' NCSI feature.  You can read about this feature/enhancement in the 7.5 release notes here:


And that references where you can read about the feature in the 7.5 user guide. (The “Working with Windows 7 and Windows Vista” section in the “Authentication” chapter of the Cisco IronPort AsyncOS for Web User Guide.)



This Discussion

Related Content