topic Re: WMI access denied in System Logs but Device > User Identification shows connected on all DC's in General Topics

WMI access denied in System Logs but Device > User Identification shows connected on all DC's

ksauer507 — Wed, 26 Jan 2022 19:30:55 GMT

Hello,

I've seen on my Palo Alto 3220 system logs dashboard applet a ton of Access Denied messages regarding our domain controllers. However if I go over to Device > User Identification, all 4 of our DC's there are listed as connected in green. All 4 are Microsoft Active Directory, WinRM-HTTP. If they are green and connected there, why am I seeing errors in the system logs?

01/26 14:29:58 Server monitor dcname(vsys1) is connected

01/26 14:29:58 Server monitor dcname(vsys1): connection failed, HTTP code 500, s:Receiverw:InternalErrorThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. 200The WS-Management service cannot process the request. The WMI service returned an 'access denied' error. H

Re: WMI access denied in System Logs but Device > User Identification shows connected on all DC's

ksauer507 — Wed, 26 Jan 2022 21:02:45 GMT

show user ip-user-mapping all showed valid user to IP mappings.

show user server-monitor statistics showed 4 DC's in the connected state, but if you kept running that command over and over you'd see a random DC go to not connected, then access denied, then connected again. The windows program WBEMTEST with the same service account credentials we use against the DC's launched with no issue.

We changed them from WinRM-HTTP to WMI and committed, and no issues since.

There's no problem with it on WMI, that's ok to have it set to that method if it works right?

Re: WMI access denied in System Logs but Device > User Identification shows connected on all DC's

nikoolayy1 — Sun, 30 Jan 2022 08:49:21 GMT

Maybe check the article below and also you may double check the DC config itself as only WBEMTEST may not be enough, also check for network flapping or bottleneck issues or firewall CPU/Memory issues as the integrated WMI agent is causing cpu/memory issues to the firewall. Also the trust between the 4 DC could be in some cases not configured correctly.

Agentless User-ID 'access denied' Error in Server Monitor - Knowledge Base - Palo Alto Networks

Also check for known issues for your firewall version or addresses issues for the versions after your version. Example:

Known Issues (paloaltonetworks.com)

PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)

Re: WMI access denied in System Logs but Device > User Identification shows connected on all DC's

nislam — Fri, 22 Jul 2022 08:49:28 GMT

>> mp useridd.log 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for server1.local failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

>>mp useridd.log 2022-07-22 05:53:28 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server server1.local: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

We checked this issue further and found the reason as a recent patch release from Microsoft KB5004442 which impacts the WMI transport service used from the FW side.
We checked the same with the Server Team and could correlate the patch installation and the mapping failure timestamps.
A detailed description of the issue along with the resolution is provided in the articles below: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA