https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572487#M115196 <P>Hi Tom,</P> <P>&nbsp;</P> <P>We started with installing 10.2, than moved to version 8 to check if the issue is because of version, than again went for version 11. Nothing resolved the problem..&nbsp;</P> Wed, 10 Jan 2024 05:42:50 GMT JamshedDayar 2024-01-10T05:42:50Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572035#M115130 <P>Hi all</P> <P>&nbsp;</P> <P>We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012.&nbsp;</P> <P>&nbsp;</P> <P>There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above.&nbsp;</P> <P>&nbsp;</P> <P>We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc</P> <P>&nbsp;</P> <P>Anyone can shed a light on how further we can tshoot this problem.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The specific error on the log file is</P> <P>&nbsp;</P> <P>Error 115 : Cannot open security log for XYZ. Access is denied.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JamshedDayar_1-1704692360221.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56300i81F928558164840F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JamshedDayar_1-1704692360221.png" alt="JamshedDayar_1-1704692360221.png" /></span></P> <P><LI-PRODUCT title="User-ID" id="User-ID"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 Jan 2024 05:42:13 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572035#M115130 JamshedDayar 2024-01-08T05:42:13Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572182#M115144 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/334632">@JamshedDayar</a>,</P> <P>I'd verify with whoever is running those servers that you don't have IP restrictions that weren't updated for the 2019 host on the DCs.&nbsp;</P> Mon, 08 Jan 2024 21:45:47 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572182#M115144 BPry 2024-01-08T21:45:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572255#M115154 <P>Hi Bpry,</P> <P>&nbsp;</P> <P>Incase of any restrictions, why UIA is still able to fetch all the updated information regarding user to ip mapping. This is the point that is confusing us. Anyway can you elaborate where I can ask the server team to check for these restrictions.</P> <P>&nbsp;</P> Tue, 09 Jan 2024 05:43:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572255#M115154 JamshedDayar 2024-01-09T05:43:34Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572348#M115170 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/334632">@JamshedDayar</a>&nbsp;wrote:<BR /> <P>Hi all</P> <P>&nbsp;</P> <P>We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012.&nbsp;</P> <P>&nbsp;</P> <P>There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above.&nbsp;</P> <P>&nbsp;</P> <P>We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc</P> <P>&nbsp;</P> <P>Anyone can shed a light on how further we can tshoot this problem.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The specific error on the log file is</P> <P>&nbsp;</P> <P>Error 115 : Cannot open security log for XYZ. Access is denied.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JamshedDayar_1-1704692360221.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56300i81F928558164840F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JamshedDayar_1-1704692360221.png" alt="JamshedDayar_1-1704692360221.png" /></span></P> <P><A class="lia-product-mention" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/User-ID/pd-p/User-ID" data-product="30-1" target="_blank">User-ID</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Your comments are a little confusing.&nbsp; You have UIA installed on 2012 member servers previously.&nbsp; You have a new 2019 member server that has UIA installed on it.</P> <P>&nbsp;</P> <P>It's the UIA on the 2019 member server that has lets say 10 domain controllers it's monitoring.&nbsp; Of those 10 ALL of them sometimes say connected and other times ALL of them say access denied?&nbsp; Or is there a subset of the 10 that will say access denied?<BR /><BR />I would agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; -- this is usually because of the service account that's running the UIA doesn't have the needed permissions to read the AD event logs on the DC, or maybe the service account isn't running the UIA software like it needs to be.</P> <P>&nbsp;</P> <P>I would follow the UIA deployment process step by step again.&nbsp; I bet you resolve your issue.</P> Tue, 09 Jan 2024 14:43:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572348#M115170 Brandon_Wertz 2024-01-09T14:43:49Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572367#M115173 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/334632">@JamshedDayar</a> ,</P> <P>&nbsp;</P> <P>I don't know of any Windows issues with the UIA on W2019.&nbsp; I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a> that a reinstall of the UIA is your best bet to fix it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 09 Jan 2024 17:04:51 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572367#M115173 TomYoung 2024-01-09T17:04:51Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572486#M115195 <P>Hi Brandon,</P> <P>&nbsp;</P> <P>Let me clarify.</P> <P>&nbsp;</P> <P>Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues</P> <P>&nbsp;</P> <P>Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )</P> <P>&nbsp;</P> <P>Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ).&nbsp;</P> <P>&nbsp;</P> <P>We have followed the KB and all local permissions are also granted to service account on new server as well.&nbsp;</P> Wed, 10 Jan 2024 05:41:02 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572486#M115195 JamshedDayar 2024-01-10T05:41:02Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572487#M115196 <P>Hi Tom,</P> <P>&nbsp;</P> <P>We started with installing 10.2, than moved to version 8 to check if the issue is because of version, than again went for version 11. Nothing resolved the problem..&nbsp;</P> Wed, 10 Jan 2024 05:42:50 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572487#M115196 JamshedDayar 2024-01-10T05:42:50Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572557#M115208 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/334632">@JamshedDayar</a>&nbsp;wrote:<BR /> <P>Hi Brandon,</P> <P>&nbsp;</P> <P>Let me clarify.</P> <P>&nbsp;</P> <P>Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues</P> <P>&nbsp;</P> <P>Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )</P> <P>&nbsp;</P> <P>Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ).&nbsp;</P> <P>&nbsp;</P> <P>We have followed the KB and all local permissions are also granted to service account on new server as well.&nbsp;</P> <HR /></BLOCKQUOTE> <P>Hrmm...If you're saying you've followed all the steps and the service account is running the software, it's possible there could be some weird issue going on, but that likely will need a support case to truly discover.</P> <P>&nbsp;</P> <P>That said my enviornment is a mix of 3200s, 3400s, and 5250s running 10.1.X and 10.2.X PAN-OS.&nbsp; I've got 4 UIAs targeting 100+ DCs and 1 credential agent.&nbsp; We're running UIA software version 10.1.0-21 and we don't have any issues monitoring 2019 DCs.&nbsp; Maybe try downgrading the UIAs to 10.1?</P> <P>&nbsp;</P> <H2 class="bookdetail-page-title">Where Can I Install the User-ID Agent?</H2> <P><A href="https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-agent#id8f750af3-799f-4546-8b9e-a44a23b5b5c0" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-agent#id8f750af3-799f-4546-8b9e-a44a23b5b5c0</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2 class="bookdetail-page-title">Which Servers Can the User-ID Agent Monitor?</H2> <P><A href="https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-agent-monitor#id48730da4-e269-4a3b-aeae-ea577c5c04ea" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-agent-monitor#id48730da4-e269-4a3b-aeae-ea577c5c04ea</A>&nbsp;</P> Wed, 10 Jan 2024 14:00:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-all-dcs-in-connecting-access-is-denied-status/m-p/572557#M115208 Brandon_Wertz 2024-01-10T14:00:34Z