topic Re: User-ID Agent Errors on Domain Controllers in General Topics

User-ID Agent Errors on Domain Controllers

dannon — Wed, 03 Dec 2014 18:12:10 GMT

I'm getting the following error showing up in event viewer on our Windows domain controller. We have 4 DC total that have the the user-id agent installed.

As you can see, I am getting a lot of these error. The IP in question is one from our BYOD subnet, meaning it could be a end-user personal device. Most of the IPs in the error logs are from this subnet.

I am also seeing the following on the User-Agent logs:

I'm not sure if they are related or not. When I setup the agent, I left all settings at their defaults, except for adding our service account for start-up and adding the other DCs.

Re: User-ID Agent Errors on Domain Controllers

Mystique — Wed, 03 Dec 2014 18:19:30 GMT

Hello Dannon,

The DCOM errors are most probably due to WMI probing for IPs that are not responding. Can you please disable WMI probing under user-ID setup and test to see if the system error messages stopped ?

On PAN User-ID agent, go to setup --> click edit --> client probing --> uncheck WMI probing checkbox

Helpful doc:

User-ID Agent Generating DCOM and Kerberos System Errors

Re: User-ID Agent Errors on Domain Controllers

dannon — Thu, 19 Feb 2015 16:57:26 GMT

Yes, turning off WMI caused the errors to cease.

My problem now is that I want to have WMI enabled, but my server admin doesn't want all the logs flooded with these entries on the DCs.

What to do?

Re: User-ID Agent Errors on Domain Controllers

dannon — Wed, 11 Mar 2015 14:29:49 GMT

I've found that we have better results with user-id to ip mapping with having WMI probing enabled. I turned it on, and told our server admin to calm down. It's still messy looking and I would like to have Palo put this in a separate application log in event viewer. I've seen other filtering software do this.

Dannon