https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/330430#M83760 <P>I have setup user-id mapping using the instruction here:</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html#idf8932678-911a-4153-ab89-94f19b988aef" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html#idf8932678-911a-4153-ab89-94f19b988aef</A></P><P>&nbsp;</P><P>I have 2 servers with the user-id agent and 2 servers with the terminal server agent all set up and working. If I go into monitoring, i can see logs populating just fine and if I go into the cli and run&nbsp;</P><P>show user ip-user-mapping all</P><P>All the users show up mapped correctly.</P><P>&nbsp;</P><P data-unlink="true">Initially, we were trying to do user mapping by implementing&nbsp;User Mapping Using the PAN-OS Integrated User-ID Agent. We didn't like this solution and backed it all out.&nbsp; In the 2 weeks since, the only thing we did was upgrade the Pan-Os to version 9.0.8 and now when we run a commit, we intermittently receive the following error:</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">user-id-service is enabled, but no user-id-agent is configured for&nbsp;ntlm-auth</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">I think this may be left over from when we were trying to implement the integrated user-id agent. I have searched for a similar error but can't find anything close.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">In the firewall, in device&gt;user identification&gt; user-ID agents, in the properties of the server, do I need to check the "<SPAN>Use for NTLM Authentication" check box since we are still using NTLM authentication to clear the error?</SPAN></P><P data-unlink="true">&nbsp;</P> Thu, 28 May 2020 22:46:49 GMT RussMcIntire 2020-05-28T22:46:49Z https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/330430#M83760 <P>I have setup user-id mapping using the instruction here:</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html#idf8932678-911a-4153-ab89-94f19b988aef" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html#idf8932678-911a-4153-ab89-94f19b988aef</A></P><P>&nbsp;</P><P>I have 2 servers with the user-id agent and 2 servers with the terminal server agent all set up and working. If I go into monitoring, i can see logs populating just fine and if I go into the cli and run&nbsp;</P><P>show user ip-user-mapping all</P><P>All the users show up mapped correctly.</P><P>&nbsp;</P><P data-unlink="true">Initially, we were trying to do user mapping by implementing&nbsp;User Mapping Using the PAN-OS Integrated User-ID Agent. We didn't like this solution and backed it all out.&nbsp; In the 2 weeks since, the only thing we did was upgrade the Pan-Os to version 9.0.8 and now when we run a commit, we intermittently receive the following error:</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">user-id-service is enabled, but no user-id-agent is configured for&nbsp;ntlm-auth</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">I think this may be left over from when we were trying to implement the integrated user-id agent. I have searched for a similar error but can't find anything close.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">In the firewall, in device&gt;user identification&gt; user-ID agents, in the properties of the server, do I need to check the "<SPAN>Use for NTLM Authentication" check box since we are still using NTLM authentication to clear the error?</SPAN></P><P data-unlink="true">&nbsp;</P> Thu, 28 May 2020 22:46:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/330430#M83760 RussMcIntire 2020-05-28T22:46:49Z https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331811#M83965 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/135892">@RussMcIntire</a>the very short answer is: yes <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>at least one of your agents needs to be the NTLM relay</P><P>&nbsp;</P> Fri, 05 Jun 2020 07:33:06 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331811#M83965 reaper 2020-06-05T07:33:06Z https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331976#M83991 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;</P><P>&nbsp;</P><P>Thank you for the reply.&nbsp;I checked the "Use for NTLM Authentication" check box for both servers and the error cleared. I find it odd it did not show up until after the Pan-OS upgrade to 9.0.8 from 8.1.10. We ran this config for nearly 2 weeks with no issue before then. Thoughts?</P> Fri, 05 Jun 2020 19:45:50 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331976#M83991 RussMcIntire 2020-06-05T19:45:50Z https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331980#M83992 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/135892">@RussMcIntire</a>&nbsp; I can only venture a guess:</P><P>maybe the check didn't exist prior to 9.0 or didn't include the clientless configuration</P> Fri, 05 Jun 2020 20:14:17 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-error-after-commit/m-p/331980#M83992 reaper 2020-06-05T20:14:17Z