SaaS |
| DCI |
When viewing browsing activity from Reporting > History, do many users appear as Anonymous, or show an incorrect username? If so, please go through these steps and verify your settings.
Open a command prompt on the user machine that is showing as Anonymous (type cmd in the taskbar search field and press Enter).
Type ipconfig/all into the command prompt and press Enter.
In the results, look for DNS Servers. The first entry is the primary DNS server and the second is the secondary DNS server.
To ensure your DNS requests are being explicitly sent to DNS Proxy, both of these IPs must be your DNS Proxy IPs - not forwarders.
Every Domain Controller that users log in against must have WADA installed. Open the services list and ensure the WebTitan Active Directory Agent service is present and running on each DC.
When running multiple DNS Proxies, every WADA config file must be configured to point to each of the DNS Proxies. Follow these steps on each Domain Controller:
- Press Windows Key + R to open the Run window.
- Enter %programdata% and click OK to open the ProgramData folder.
- Open the WebTitan AD Agent folder.
- Open wada.ini and ensure each DNS Proxy is listed as shown in the example below.
Example: http://IP-address:port
See examples below with the correct port 7777.
WADA sends data for logged in users to DNS Proxy over port 7777, so this port must be allowed out from the Domain Controller (DC) IP to the DNS Proxy IP.
Follow these steps from each DC:
- Press Windows Key + R to open the Run window.
- Enter %programdata% and click OK to open the ProgramData folder.
- Open the WebTitan AD Agent folder.
- Open wadaerror.log.
- Search the log for the following error in todays date: [ERR] Failed sending to client.
If this error is present it indicates that DNS Proxy cannot be reached on the correct port, meaning it is likely closed.
Windows Management Instrumentation (WMI) is used to identify which users are logged into which machines. It is essential that WMI queries get the correct responses when run from the DCs.
Open a command line and run the following command, but replace "1.2.3.4" with the IP of a user machine that is showing as Anonymous:
wmic /NODE:1.2.3.4 COMPUTERSYSTEM GET USERNAME
You must get a reply showing the logged in username like the example here, which shows WMI can identify the user:
wmic /NODE:10.1.0.210 COMPUTERSYSTEM GET USERNAME
UserName
TESTDOMAIN\joe
A response like the example below indicates that WMI cannot communicate:
wmic /NODE:10.1.0.210 COMPUTERSYSTEM GET USERNAME
Note – 10.1.0.210
Error:
Description = The RPC server is unavailable
If this is the case, all items listed below will need to be allowed on your Windows firewall. This can be pushed out via GPO.
Windows Management Instrumentation (Async-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)
Remote Event Log Management (NP-In)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
Remote Administration (NP-In)
Remote Administration (RPC)
Remote Administration (RPC-EPMAP)
Network Discovery (LLMNR-UDP-In)
Network Discovery (NB-Datagram-In)
Network Discovery (NB-Name-In)
Network Discovery (Pub-WSD-In)
Network Discovery (SSDP-In)
Network Discovery (UPnP-In)
Network Discovery (WSD Events-In)
Network Discovery (WSD EventsSecure-In)
Network Discovery (WSD-In)
Are the servers terminal servers or are they configured as terminal servers under Configuration > Network > Terminal Servers.
Any IP added here will be considered a terminal server and will show as anonymous. Terminal Server IPs that are not listed here will likely misidentify users. Both of the above are due to the fact that WADA cannot identify these users and they must be excluded from identification.
Log in to your DNS Proxy IP. Go to Troubleshooting > Wada/Aada
Search the IP field for the machine that is reporting anonymous. Is their a user listed there? Please submit a support ticket with that information.