Overview
Add AD Server and credentials
Multiple device IP Address
Troubleshooting AD Connectivity
FAQ
Sinefa Probes can be configured to retrieve username information directly from Active Directory Domain Controllers. This allows reports to be viewed with usernames rather than IP addresses even when users roam, or login from different devices and locations.
Configuring Sinefa Probes to connect to your AD Domain Controllers is easy.
- Navigate to Settings > Users > Active Directory
- Click Add to add a new AD server.
| Field | Definition |
| Server | Enter the hostname or IP address of your AD Domain Controller. |
| Domain | Enter in the domain prefix required to be able to log into your AD Domain Controller |
| Username | Enter the username of a user on the AD server with appropriate permissions (see below for more details). |
| Password | Enter the user's password. |
| Groups | Select this if you would like to obtain the AD Security and Distribution group data |
| Apply to Probe(s) | Configure the Probes which can connect to this AD server to lookup username information. Default is All Probes. |
You should add all AD servers in your network that are domain controllers (not member servers).
By default, the Administrator user can access username information without any special permissions. For security reasons, system administrators can create, read-only, non administrator accounts for this purpose. See the How to allow Sinefa Probes to connect to Active Directory Domain Controllers as a non Administrator user article for more information.
Multiple device IP Address
Sinefa identifies users by the IP Address that the users device uses to authenticate to the Active Directory server. So if User A authenticates to Active Directory using IP Address 1.1.1.1 then Sinefa will associate traffic from 1.1.1.1 to User A. However if User A has multiple IP addresses on that device, and sends or receives traffic from another IP Address (say 2.2.2.2) then traffic from 2.2.2.2 will not be associated with User A. e.g. If you have IPv6 running alongside IPv4 in your network then a user's device may use the IPv4 address to authenticate to Active Directory but use their IPv6 address to access Youtube application.
Troubleshooting Active Directory Connectivity
Under Settings > Users > Active Directory there is an option to be able to run diagnostics on your setup to see if it's obtaining any logon events from the Security Logs. To complete this, do the following:
- Next to the server you have setup, under the 'Diagnostics' column, select 'Run'
- A pop-up box will appear, select the probe you want to run this connection test against and select 'Run'
- A text file will download with the last 5 query outputs that were ran with their outputs, if successful you should see a list of IP addresses with their respective users and groups (only if Groups are set to On)
If the Diagnostics return with no user output, check the logon events within the Security Logs on that AD server as well as any error message outputs that have been retrieved from the Diagnostics.
Tip: Run the Diagnostics at least 5 minutes post the completion of the Active Directory Setup
Diagnostics Output Explained
| Output | Definition |
| No AD Server found. Check that the URL/ip address is correct. | The AD server that has been set up under Settings > Users > Active Directory is incorrect, double check the IP address entered and ensure this is the correct server with the Active Directory feature installed |
| Could not authenticate with AD Server. Check that the username and password are correct. | Check the credentials that are entered are correct and that the user listed has the correct permissions set as outlined in this document here. |
| No users found. Have any users logged in in the last 60 seconds? | Check that logon events are being captured in the security logs on that Active Directory server or if anyone has logged in within that time period allocated. Check whether the user configured on the probe has read-only access to the security logs as outlined in this document here. |
| No LDAPS Server found. Check that LDAPS is enabled on your AD Server. (Groups only) | Check whether LDAPS has been configured on your AD server to be able to obtain group information of the users within your AD environment |
| NTSTATUS: NT_STATUS_NO_MEMORY - Memory allocation error | An uncommon error, check the firewall and connectivity to ensure traffic is allowed inbound and outbound. |
FAQ's
| Question | Answer |
| Do I need to allow access to my Domain Controllers from the Internet? | No, the Sinefa Probes will connect to your Domain Controllers directly from within your network. Sinefa does not connect to them from the cloud. |
| Do I need to put my 'Administrator' password into the Sinefa AD Settings? | No, using the guide mentioned above, you can create a read-only, non-Administrator user for this purpose if you prefer not to use the Administrator account. |
| How does this work? | Sinefa Probes connect to your AD Domain Controllers using remote WMI and query the server for user login events. This information provides username to IP address mapping so we can associate traffic on the network with individual users. |
| I've noticed data use being captured by the AD user that we've created to collect this information, why is that? | If the probe is placed in a different location across the WAN to the Active Directory server, you will notice that the AD queries that the Sinefa probe sends and receives will be captured on the traffic monitoring. It's normally advised to try and set up the probe as close as possible/in the same location as the AD server without compromising the quality of the reporting that you would receive from the Sinefa Probe. |
| Will this put any extra load on my AD servers? | The queries we run are very small and efficient and require very few resources to run. There will be no noticeable impact even on servers managing large numbers of users. |
| How do I limit which Probes connect to my AD Servers? | Use the 'Apply to Probe(s)' parameter to limit which Probe can talk to which AD Server. |
Comments
0 comments
Article is closed for comments.