https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530957#M109518 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a><BR /><BR />After I went through the log, the error log number generated by the customer PA is 1288,1603 and the error log number written in the URL is 1587,1272.<BR /><BR /></P> <UL style="font-weight: 400;"> <LI><SPAN>2023-02-08 06:54:00.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:<STRONG>1288</STRONG>) : WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN><SPAN>2023-02-08 06:54:01.111 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:<STRONG>1603</STRONG><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-14 at 9.23.00 AM.png" style="width: 846px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47888i00D720B71DDE0CAA/image-dimensions/846x55/is-moderation-mode/true?v=v2" width="846" height="55" role="button" title="Screenshot 2023-02-14 at 9.23.00 AM.png" alt="Screenshot 2023-02-14 at 9.23.00 AM.png" /></span><BR />Can the same issue occur in this case?<BR /><BR />Additionally, the customer is using the <STRONG>KB5015808</STRONG>.</SPAN></SPAN></LI> </UL> Tue, 14 Feb 2023 04:39:41 GMT JoHyeonJae 2023-02-14T04:39:41Z https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530232#M109422 <P>Hello all,&nbsp;<BR /><BR /><SPAN>You are using Microsoft Active Directory, but you receive the following error log:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Useridd.log&nbsp;<BR />&gt;</SPAN></P> <UL style="font-weight: 400;"> <LI><SPAN>Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:00.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288) : WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:01.111 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:01.111 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_2: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:02.114 +0900 2023-02-08 06:54:02.114 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:02.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_1 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:02.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_1: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:03.114 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:03.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_2: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:04.115 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_1 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN>2023-02-08 06:54:04.115 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_1: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied<BR /></SPAN></LI> </UL> <P>These issues occur even if AD settings are checked and changed based on the link below.<BR />&gt;<A title="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0" contenteditable="false" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0</A><BR /><BR />Has anyone experienced and solved these issues?</P> Wed, 08 Feb 2023 02:23:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530232#M109422 JoHyeonJae 2023-02-08T02:23:34Z https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530233#M109423 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208779">@JoHyeonJae</a> ,</P> <P>&nbsp;</P> <P>You need to look at the security event viewer on your AD server to see the specific reason the access is denied.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 08 Feb 2023 02:37:16 GMT https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530233#M109423 TomYoung 2023-02-08T02:37:16Z https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530398#M109453 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;<BR /><BR />I have looked through the security event viewer on the Server side.&nbsp;<BR /><BR />But, t<SPAN>here was no evidence to cause it. Is there anything else I can check?<BR /><BR />And I found the following article while tracking the error log that occurred. Is it not related to the issue that occurred?<BR /><BR /><A href="https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" target="_blank">https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c</A><BR /></SPAN></P> Thu, 09 Feb 2023 00:56:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530398#M109453 JoHyeonJae 2023-02-09T00:56:49Z https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530420#M109456 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208779">@JoHyeonJae</a> ,</P> <P>&nbsp;</P> <P><FONT color="#FF0000">So you see the DCOM error on the server?&nbsp; It will be in the system event viewer.&nbsp;</FONT> Thank you for that URL.&nbsp; It has been updated since I last looked.&nbsp; It looks like this issue -&gt; <A href="https://live.paloaltonetworks.com/t5/general-topics/user-identification-and-winrm-on-http/m-p/481674" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/user-identification-and-winrm-on-http/m-p/481674</A>.&nbsp; It sounds like if you apply the patch you will be good, but it may be disabled next month.&nbsp; I think PANW will need to provide a fix by then.&nbsp; Please let me know what you find.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 14 Feb 2023 00:30:16 GMT https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530420#M109456 TomYoung 2023-02-14T00:30:16Z https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530957#M109518 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a><BR /><BR />After I went through the log, the error log number generated by the customer PA is 1288,1603 and the error log number written in the URL is 1587,1272.<BR /><BR /></P> <UL style="font-weight: 400;"> <LI><SPAN>2023-02-08 06:54:00.114 +0900 Error:&nbsp; pan_user_id_win_get_error_status(pan_user_id_win.c:<STRONG>1288</STRONG>) : WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied</SPAN></LI> <LI><SPAN><SPAN>2023-02-08 06:54:01.111 +0900 Error:&nbsp; pan_user_id_win_wmic_log_query(pan_user_id_win.c:<STRONG>1603</STRONG><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-14 at 9.23.00 AM.png" style="width: 846px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47888i00D720B71DDE0CAA/image-dimensions/846x55/is-moderation-mode/true?v=v2" width="846" height="55" role="button" title="Screenshot 2023-02-14 at 9.23.00 AM.png" alt="Screenshot 2023-02-14 at 9.23.00 AM.png" /></span><BR />Can the same issue occur in this case?<BR /><BR />Additionally, the customer is using the <STRONG>KB5015808</STRONG>.</SPAN></SPAN></LI> </UL> Tue, 14 Feb 2023 04:39:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-mapping-ad-access-denied/m-p/530957#M109518 JoHyeonJae 2023-02-14T04:39:41Z