https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-integration-with-ad-failing-access-denied-kerberos/m-p/1233753#M6079 <P data-start="293" data-end="301">Hi Team,</P> <P data-start="303" data-end="579">I'm working on integrating my <STRONG data-start="333" data-end="375">Active Directory (Windows Server 2016)</STRONG> with a <STRONG data-start="383" data-end="412">Palo Alto PA-450 firewall</STRONG> to enable <STRONG data-start="423" data-end="448">User-ID functionality</STRONG>. While setting up the server monitoring configuration, I'm running into issues when using both WMI and WinRM-based authentication.</P> <H3 data-start="581" data-end="602">Issue Details:</H3> <UL data-start="603" data-end="780"> <LI data-start="603" data-end="686"> <P data-start="605" data-end="686">When using <STRONG data-start="616" data-end="623">WMI</STRONG>: The firewall shows <STRONG data-start="644" data-end="661">Access Denied</STRONG> under Server Monitoring.</P> </LI> <LI data-start="687" data-end="780"> <P data-start="689" data-end="780">When using <STRONG data-start="700" data-end="723">WinRM with Kerberos Http</STRONG>: The firewall shows <STRONG data-start="744" data-end="779">Kerberos error</STRONG>.</P> </LI> </UL> <P data-start="782" data-end="839">In the AD event viewer, I’m seeing the following message:</P> <BLOCKQUOTE data-start="841" data-end="1129"> <P data-start="843" data-end="1129"><EM data-start="843" data-end="1105">The server-side authentication level policy does not allow the user <CODE data-start="912" data-end="924">&lt;username&gt;</CODE> from address <CODE data-start="938" data-end="953">&lt;firewall IP&gt;</CODE> to activate the DCOM server. Please raise the activation authentication level at least to <CODE data-start="1044" data-end="1077">RPC_C_AUTHN_LEVEL_PKT_INTEGRITY</CODE> in the client application.</EM><BR data-start="1105" data-end="1108" /><STRONG data-start="1110" data-end="1122">Event ID</STRONG>: 10036</P> </BLOCKQUOTE> <H3 data-start="1131" data-end="1165"><span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span> Troubleshooting Done So Far:</H3> <UL data-start="1166" data-end="1594"> <LI data-start="1166" data-end="1254"> <P data-start="1168" data-end="1254">Verified that the <STRONG data-start="1186" data-end="1205">AD user account</STRONG> has local admin rights on the domain controller.</P> </LI> <LI data-start="1255" data-end="1330"> <P data-start="1257" data-end="1330">Confirmed <STRONG data-start="1267" data-end="1276">WinRM</STRONG> is enabled and configured correctly on the AD server.</P> </LI> <LI data-start="1393" data-end="1461"> <P data-start="1395" data-end="1461">Ensured the correct encryption types (AES128, AES256) are enabled.</P> </LI> <LI data-start="1462" data-end="1538"> <P data-start="1464" data-end="1538">Verified the firewall can resolve the FQDN and ping the domain controller.</P> </LI> <LI data-start="1539" data-end="1594"> <P data-start="1541" data-end="1594">Checked time synchronization between firewall and AD.</P> </LI> </UL> <P>Also verified as mentioned in the below procedure<BR /><SPAN data-teams="true"><A id="menur2a5" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://knowledgebase.paloaltonetworks.com/kcsarticledetail?id=ka10g000000clggca0" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0" target="_blank" rel="noreferrer noopener" aria-label="Link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0</A><BR /><A id="menur2a7" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://knowledgebase.paloaltonetworks.com/kcsarticledetail?id=ka10g000000clk0cac" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC" target="_blank" rel="noreferrer noopener" aria-label="Link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC</A></SPAN></P> <P data-start="1596" data-end="1683">Despite this, the firewall still fails to authenticate and collect user-to-IP mappings.</P> <HR data-start="1685" data-end="1688" /> <H3 data-start="1690" data-end="1712"><span class="lia-unicode-emoji" title=":question_mark:">❓</span>Request for Help:</H3> <P data-start="1713" data-end="1759">Can someone please help clarify the following:</P> <UL data-start="1760" data-end="2132"> <LI data-start="1760" data-end="1875"> <P data-start="1762" data-end="1875">What specific <STRONG data-start="1776" data-end="1812">DCOM or WinRM permission changes</STRONG> are needed on the domain controller to allow this integration?</P> </LI> <LI data-start="1876" data-end="2006"> <P data-start="1878" data-end="2006">How to ensure <CODE data-start="1892" data-end="1925">RPC_C_AUTHN_LEVEL_PKT_INTEGRITY</CODE> is accepted by the AD server for connections coming from the Palo Alto firewall?</P> </LI> <LI data-start="2007" data-end="2132"> <P data-start="2009" data-end="2132">Any <STRONG data-start="2013" data-end="2029">Group Policy</STRONG> or <STRONG data-start="2033" data-end="2053">registry changes</STRONG> required on the domain controller to allow Kerberos to work with the firewall?</P> </LI> </UL> <P data-start="2134" data-end="2187">Any insight or guidance would be greatly appreciated!</P> Thu, 10 Jul 2025 18:37:27 GMT M.R107318 2025-07-10T18:37:27Z https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-integration-with-ad-failing-access-denied-kerberos/m-p/1233753#M6079 <P data-start="293" data-end="301">Hi Team,</P> <P data-start="303" data-end="579">I'm working on integrating my <STRONG data-start="333" data-end="375">Active Directory (Windows Server 2016)</STRONG> with a <STRONG data-start="383" data-end="412">Palo Alto PA-450 firewall</STRONG> to enable <STRONG data-start="423" data-end="448">User-ID functionality</STRONG>. While setting up the server monitoring configuration, I'm running into issues when using both WMI and WinRM-based authentication.</P> <H3 data-start="581" data-end="602">Issue Details:</H3> <UL data-start="603" data-end="780"> <LI data-start="603" data-end="686"> <P data-start="605" data-end="686">When using <STRONG data-start="616" data-end="623">WMI</STRONG>: The firewall shows <STRONG data-start="644" data-end="661">Access Denied</STRONG> under Server Monitoring.</P> </LI> <LI data-start="687" data-end="780"> <P data-start="689" data-end="780">When using <STRONG data-start="700" data-end="723">WinRM with Kerberos Http</STRONG>: The firewall shows <STRONG data-start="744" data-end="779">Kerberos error</STRONG>.</P> </LI> </UL> <P data-start="782" data-end="839">In the AD event viewer, I’m seeing the following message:</P> <BLOCKQUOTE data-start="841" data-end="1129"> <P data-start="843" data-end="1129"><EM data-start="843" data-end="1105">The server-side authentication level policy does not allow the user <CODE data-start="912" data-end="924">&lt;username&gt;</CODE> from address <CODE data-start="938" data-end="953">&lt;firewall IP&gt;</CODE> to activate the DCOM server. Please raise the activation authentication level at least to <CODE data-start="1044" data-end="1077">RPC_C_AUTHN_LEVEL_PKT_INTEGRITY</CODE> in the client application.</EM><BR data-start="1105" data-end="1108" /><STRONG data-start="1110" data-end="1122">Event ID</STRONG>: 10036</P> </BLOCKQUOTE> <H3 data-start="1131" data-end="1165"><span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span> Troubleshooting Done So Far:</H3> <UL data-start="1166" data-end="1594"> <LI data-start="1166" data-end="1254"> <P data-start="1168" data-end="1254">Verified that the <STRONG data-start="1186" data-end="1205">AD user account</STRONG> has local admin rights on the domain controller.</P> </LI> <LI data-start="1255" data-end="1330"> <P data-start="1257" data-end="1330">Confirmed <STRONG data-start="1267" data-end="1276">WinRM</STRONG> is enabled and configured correctly on the AD server.</P> </LI> <LI data-start="1393" data-end="1461"> <P data-start="1395" data-end="1461">Ensured the correct encryption types (AES128, AES256) are enabled.</P> </LI> <LI data-start="1462" data-end="1538"> <P data-start="1464" data-end="1538">Verified the firewall can resolve the FQDN and ping the domain controller.</P> </LI> <LI data-start="1539" data-end="1594"> <P data-start="1541" data-end="1594">Checked time synchronization between firewall and AD.</P> </LI> </UL> <P>Also verified as mentioned in the below procedure<BR /><SPAN data-teams="true"><A id="menur2a5" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://knowledgebase.paloaltonetworks.com/kcsarticledetail?id=ka10g000000clggca0" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0" target="_blank" rel="noreferrer noopener" aria-label="Link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0</A><BR /><A id="menur2a7" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://knowledgebase.paloaltonetworks.com/kcsarticledetail?id=ka10g000000clk0cac" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC" target="_blank" rel="noreferrer noopener" aria-label="Link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC</A></SPAN></P> <P data-start="1596" data-end="1683">Despite this, the firewall still fails to authenticate and collect user-to-IP mappings.</P> <HR data-start="1685" data-end="1688" /> <H3 data-start="1690" data-end="1712"><span class="lia-unicode-emoji" title=":question_mark:">❓</span>Request for Help:</H3> <P data-start="1713" data-end="1759">Can someone please help clarify the following:</P> <UL data-start="1760" data-end="2132"> <LI data-start="1760" data-end="1875"> <P data-start="1762" data-end="1875">What specific <STRONG data-start="1776" data-end="1812">DCOM or WinRM permission changes</STRONG> are needed on the domain controller to allow this integration?</P> </LI> <LI data-start="1876" data-end="2006"> <P data-start="1878" data-end="2006">How to ensure <CODE data-start="1892" data-end="1925">RPC_C_AUTHN_LEVEL_PKT_INTEGRITY</CODE> is accepted by the AD server for connections coming from the Palo Alto firewall?</P> </LI> <LI data-start="2007" data-end="2132"> <P data-start="2009" data-end="2132">Any <STRONG data-start="2013" data-end="2029">Group Policy</STRONG> or <STRONG data-start="2033" data-end="2053">registry changes</STRONG> required on the domain controller to allow Kerberos to work with the firewall?</P> </LI> </UL> <P data-start="2134" data-end="2187">Any insight or guidance would be greatly appreciated!</P> Thu, 10 Jul 2025 18:37:27 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-integration-with-ad-failing-access-denied-kerberos/m-p/1233753#M6079 M.R107318 2025-07-10T18:37:27Z