topic About UIA SSL connection in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/about-uia-ssl-connection/m-p/1247004#M6628 <P>Hello Team,</P> <P>&nbsp;</P> <P>I'm currently dealing with an issue where UIA is unable to validate certification.</P> <P>&nbsp;</P> <P>The certificate does not have a SAN setting.</P> <P>I plan to change the certificate to one that has both CN and SAN set, but have not been able to do so yet.</P> <P>&nbsp;</P> <P>The certificate validation has occurred since applying an OS patch, so I have asked the OS vendor to investigate.</P> <P>The OS vendor has stated that there is no Schannel SSP communication when the issue occurs.<BR />The OS vendor has asked me to confirm whether UIA uses Schannel SSP.</P> <P>&nbsp;</P> <P>Does anyone have information on whether UIA uses Schannel SSP for SSL/TLS communication?</P> <P>&nbsp;</P> <P>Regards,<BR />Yusuke Narita</P> Thu, 29 Jan 2026 09:57:18 GMT Y.Narita347153 2026-01-29T09:57:18Z About UIA SSL connection https://live.paloaltonetworks.com/t5/next-generation-firewall/about-uia-ssl-connection/m-p/1247004#M6628 <P>Hello Team,</P> <P>&nbsp;</P> <P>I'm currently dealing with an issue where UIA is unable to validate certification.</P> <P>&nbsp;</P> <P>The certificate does not have a SAN setting.</P> <P>I plan to change the certificate to one that has both CN and SAN set, but have not been able to do so yet.</P> <P>&nbsp;</P> <P>The certificate validation has occurred since applying an OS patch, so I have asked the OS vendor to investigate.</P> <P>The OS vendor has stated that there is no Schannel SSP communication when the issue occurs.<BR />The OS vendor has asked me to confirm whether UIA uses Schannel SSP.</P> <P>&nbsp;</P> <P>Does anyone have information on whether UIA uses Schannel SSP for SSL/TLS communication?</P> <P>&nbsp;</P> <P>Regards,<BR />Yusuke Narita</P> Thu, 29 Jan 2026 09:57:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/about-uia-ssl-connection/m-p/1247004#M6628 Y.Narita347153 2026-01-29T09:57:18Z Re: About UIA SSL connection https://live.paloaltonetworks.com/t5/next-generation-firewall/about-uia-ssl-connection/m-p/1249647#M6758 <P>The <STRONG>User-ID Agent (UIA)</STRONG> runs as a Windows service and relies on the <STRONG>Windows TLS/SSL stack</STRONG> for secure communication. Therefore, TLS operations performed by the agent use the native Windows cryptographic libraries, which include <STRONG>Schannel (Secure Channel SSP)</STRONG>.</P><P>In other words, SSL/TLS communication initiated by the User-ID Agent is handled through the Windows security infrastructure and therefore utilizes <STRONG>Schannel SSP</STRONG> for certificate validation and TLS negotiation.</P><P>Regarding the certificate validation issue, it is possible that the recent OS patch introduced stricter certificate validation requirements. Modern Windows updates often require the <STRONG>Subject Alternative Name (SAN)</STRONG> extension for proper certificate validation, and certificates that only contain the <STRONG>Common Name (CN)</STRONG> may fail validation in some cases.</P> Sun, 08 Mar 2026 08:43:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/about-uia-ssl-connection/m-p/1249647#M6758 abayoumi21 2026-03-08T08:43:34Z