topic Re: Crednetial Phishing Agent Permissions in General Topics

Crednetial Phishing Agent Permissions

apackard — Mon, 03 Sep 2018 17:15:07 GMT

Does anyone know if the credential phishing agent requires different\additional permissions to the base User agent?

I have installed with our 'standard' account and I get this in the logs:-

09/03/18 18:05:33:996 [ Info 2036]: ------------Service is being started------------
09/03/18 18:05:33:996 [ Info 2043]: Os version is 6.2.0.
09/03/18 18:05:33:996 [ Info 389]: Load debug log level Info.
09/03/18 18:05:33:996 [ Info 247]: Service version is 8.1.3.10.
09/03/18 18:05:33:996 [ Info 392]: Product version is 8.
09/03/18 18:05:33:996 [ Info 313]: Named pipe for UaService created.
09/03/18 18:05:34:028 [Error 716]: Unable to extract credentials.
09/03/18 18:05:39:028 [Error 716]: Unable to extract credentials.

It is also possible this is due to a security setting on the server itself I assume.

Thanks

Re: Crednetial Phishing Agent Permissions

SARowe_NZ — Mon, 25 Feb 2019 23:41:59 GMT

Hey did you get this fixed? I'm having the same issue.

Thanks!
Shannon

Re: Crednetial Phishing Agent Permissions

apackard — Tue, 26 Feb 2019 02:08:53 GMT

We did - I'm fairly sure we just had to run the Cred service as SYSTEM, not the Palo agent service account we assumed we needed to run both the PA agent and Cred agent with..

That said it is currently broken for us - I've not had time to check as we were only testing but I'm due to look this week as it turns out.

Re: Crednetial Phishing Agent Permissions

SARowe_NZ — Tue, 26 Feb 2019 03:13:17 GMT

Hi thanks for replying - I've made sure we're using the system account, not a service account.

I've logged it with TAC and will update here if I get a resolution.

Re: Crednetial Phishing Agent Permissions

Brandon_Wertz — Wed, 27 Feb 2019 13:47:43 GMT

I could have sworn early on the install instructions said you needed a domain admin or at least something along the way domain admin was required, but that doesn't appear to be the case now.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/threat-prevention/prevent-credential-phishing/configure-credential-detection-with-the-windows-based-user-id-agent.html#

For using "Domain Credential Filter" --

"Install the User-ID agent and the User Agent Credential service on an RODC using an account that has privileges to read Active Directory via LDAP (the User-ID agent also requires this privilege)."