topic Re: User-ID for Exchange Permission Issue in General Topics

User-ID for Exchange Permission Issue

SabreAce33 — Tue, 21 May 2013 20:44:08 GMT

Hi All,

I'm running an agent-based User-ID setup against three AD DCs and two Exchange CAS servers. Unfortunately, despite having the Event Log Reader permission, I cannot seem to get data from the Exchange servers. I am successfully getting data from the DCs, but the Exchange servers always show either Connecting or Connecting (A required privilege is not held by the agent.). Any ideas on whether or not Exchange requires additional permissions?

Thanks,

John

Re: User-ID for Exchange Permission Issue

SabreAce33 — Fri, 24 May 2013 16:43:26 GMT

Any takers?

Re: User-ID for Exchange Permission Issue

NGS_SOC — Sun, 26 May 2013 10:08:29 GMT

https://live.paloaltonetworks.com/message/15865#15865

Be aware that only owa connection can be used, due to Exchange limitation there is no POP3 or IMAP user connection information.

Re: User-ID for Exchange Permission Issue

melonheadr — Wed, 26 Jun 2013 18:02:37 GMT

I am also having this issue. I have a case open with support but there is no resolution yet. I am using User-ID agent 5.0.5 and can connect to domain controllers just fine. The Exchange server connections show "Connecting (A required privilege is not held by the agent.)" I am attempting to connect to Exchange 2010.]

Any thoughts?

Re: User-ID for Exchange Permission Issue

SabreAce33 — Wed, 26 Jun 2013 18:08:49 GMT

Wish I had something to add. That's the exact problem I'm having, though I'm using 5.0.4. Please let me know what you find out!

Re: User-ID for Exchange Permission Issue

melonheadr — Wed, 26 Jun 2013 18:14:07 GMT

The closest thing I can find is this:

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27949015.html

Scroll all the way to the bottom:

"Ending up not being able to use the event log viewers group and had to add the accout to administrators group."

Perhaps Exchange 2010 doesn't use the "Event Log Readers" group...

Re: User-ID for Exchange Permission Issue

SabreAce33 — Wed, 26 Jun 2013 18:19:47 GMT

Huh..my AD/Exchange guy swears up and down this shouldn't be required and that Event Log Readers should be fine...

Re: User-ID for Exchange Permission Issue

sraghunandan — Wed, 26 Jun 2013 18:22:01 GMT

Have you had a chance to look at this doc

https://live.paloaltonetworks.com/docs/DOC-3664

Re: User-ID for Exchange Permission Issue

melonheadr — Wed, 26 Jun 2013 18:22:24 GMT

I agree. PAN support wanted me to add the service-account to the local admin group on the Exchange servers. I refused and asked him to provide me documentation that this is required. Least privilege model... right?

Re: User-ID for Exchange Permission Issue

SabreAce33 — Wed, 26 Jun 2013 18:25:53 GMT

I have. The only difference between that doc and our deployment is Server Operators, which won't fly with our AD guys. The Exchange monitoring, which is not outlined in that document at all, works fine without Server Operators.

Re: User-ID for Exchange Permission Issue

SabreAce33 — Wed, 26 Jun 2013 18:26:25 GMT

Totally concur. That's not a valid answer for me.

Re: User-ID for Exchange Permission Issue

melonheadr — Wed, 26 Jun 2013 18:28:34 GMT

Definitely followed the document. My service-account is part of "event log readers" and "server operators." As said before, the User-ID agent works fine with domain controllers. Something is odd with the connection to Exchange servers.

Re: User-ID for Exchange Permission Issue

melonheadr — Wed, 10 Jul 2013 19:39:24 GMT

John,

I sat down and worked with my Exchange admin. He added my service account to the Exchange server's local "event log readers" group. Bam, user-ID agent is now connected. I haven't dug through the data yet but at least it resolves the error I was receiving. Hope this helps.

Charlie

Re: User-ID for Exchange Permission Issue

SabreAce33 — Fri, 19 Jul 2013 21:49:35 GMT

Thanks Charlie,

I'll talk to my AD/Exchange guy next week and see if that does the trick.

John

Re: User-ID for Exchange Permission Issue

scottsander — Wed, 03 Jun 2015 15:06:52 GMT

The documentation for the built-in PAN-OS user-ID agent appears to be incomplete. Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:

Grant the user-ID agent service account "Enable Account" and "Remote Access" permission to the CIMV2 WMI namespace on the Exchange CAS servers.
Add the service account to the local "Event Log Readers" and "Distributed COM Users" groups on the Exchange CAS servers.

I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups as I have seen suggested in some places.

The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups. Many probably (and I did) assume that means the groups that are built into the Active Directory domain. While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.

So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.

I hope this helps others.