https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/158197#M51790 <P>Hello team,</P><P>&nbsp;</P><P>Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work<BR />The user id agent is configured on the writeable domain controller<BR />But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC<BR /><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973</A></P><P>Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller</P><P>The output of show user user-id-agent state SVR-DC2 is attached</P><P>&nbsp;</P><P>Kindly verify regarding the same&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="output.PNG" style="width: 796px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9404iCFE9D0BAFEB8866E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="output.PNG" alt="output.PNG" /></span></P><P>Regards</P><P>Banu Priya</P> Wed, 24 May 2017 22:47:31 GMT bgunasekar 2017-05-24T22:47:31Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/158197#M51790 <P>Hello team,</P><P>&nbsp;</P><P>Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work<BR />The user id agent is configured on the writeable domain controller<BR />But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC<BR /><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973</A></P><P>Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller</P><P>The output of show user user-id-agent state SVR-DC2 is attached</P><P>&nbsp;</P><P>Kindly verify regarding the same&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="output.PNG" style="width: 796px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9404iCFE9D0BAFEB8866E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="output.PNG" alt="output.PNG" /></span></P><P>Regards</P><P>Banu Priya</P> Wed, 24 May 2017 22:47:31 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/158197#M51790 bgunasekar 2017-05-24T22:47:31Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/158359#M51831 <P>When you asked the question, I was thinking the RODC was just a suggestion for security reasons, and the link you tagged actually states as such:</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credential-detection-with-the-windows-based-user-id-agent#_20973</A></P><P>&nbsp;</P><P>"<SPAN>Installing the User-ID agent on an RODC can be useful for a few reasons: access to the domain controller directory is not required to enable credential detection and you can support credential detection for a limited or targeted set of users. Because the directory the RODC hosts is read-only, the directory contents remain secure on the domain controller."</SPAN></P> Thu, 25 May 2017 17:45:20 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/158359#M51831 Brandon_Wertz 2017-05-25T17:45:20Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/211264#M61647 <P>Did you get your issue resolved?</P> Sun, 22 Apr 2018 22:27:19 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/211264#M61647 staustin 2018-04-22T22:27:19Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/218304#M63115 <P>I'd like to know the same, for I'd like to implement but I don't want to set up an RODC for the sole purpose of supporting this.</P> Mon, 18 Jun 2018 22:36:11 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/218304#M63115 cenders 2018-06-18T22:36:11Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/305861#M79493 <P>Have you got answer for this ?</P><P>&nbsp;</P> Tue, 07 Jan 2020 13:05:54 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/305861#M79493 OmPrasad 2020-01-07T13:05:54Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/306877#M79704 <P>Unfortunately for this feature to work an RODC is required. Starting from windows server 2012 (or maybe even 2008) the password hashes are not readable from an AD joined server and not even on the domaincontroller itself - even obviously the password hashes are available there. The only way to read these hashes is on an RODC.</P><P>(I received this answer from PaloAlto Support)</P> Wed, 15 Jan 2020 20:45:36 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/306877#M79704 Remo 2020-01-15T20:45:36Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/306895#M79709 <P>Yes, I tested the same configuring RODC when it was not working on AD. It worked on RODC only.</P><P>&nbsp;</P> Thu, 16 Jan 2020 06:41:47 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/306895#M79709 OmPrasad 2020-01-16T06:41:47Z https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/332630#M84079 <P>this is exactly what we needed to know.</P> Tue, 09 Jun 2020 18:55:07 GMT https://live.paloaltonetworks.com/t5/general-topics/credential-phishing-with-credential-submission-method-as-use/m-p/332630#M84079 Sec101 2020-06-09T18:55:07Z