IBM Support

Guardium OS User field is blank in reports for remote traffic only when using MSSQL

Troubleshooting


Problem

OS User field is blank in Reports for remote MSSQL connections, but contains data for local connections

Cause

Local Database Connections

For local connections (i.e. connections made to the database from the server where the database is running and the S-TAP is installed) the OS User field can be populated as the OS User of the client process. This is because the S-TAP is installed on the server and can send this data to Guardium.
Expected OS User values
Windows Authentication: OS User of Client session
SQL Server Authentication: OS User of Client session


Remote Database Connections
For remote connections (i.e. connections made to the database from an external client not through the server) the OS User is not sent by the Windows S-TAP. This is because S-TAP is not installed on the remote client and OS User is not part of the database traffic packets.
Based on the type of authentication used, the sniffer copies the Database User into the OS User field. For certain types of authentication, the two fields are effectively the same.
Expected OS User values
Windows NTLM Authentication: DB User of remote session
Windows Kerberos Authentication: Blank
SQL Server Authentication: Blank
To check the authentication scheme for MSSQL Server sessions run:
1> select auth_scheme from sys.dm_exec_connections where session_id=@@spid;
2> go
auth_scheme
----------------------------------------
NTLM

Related Information

Missing DB User problems

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9,10,11","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
04 June 2020

UID

swg21986236

Page Feedback