topic Re: Agentless User-ID Not Connected (RESOLVED) in General Topics

Agentless User-ID Not Connected (RESOLVED)

BrandonStiefel1 — Wed, 28 Apr 2021 17:01:51 GMT

EDIT: I have resolved my issue... adding this in case someone runs into the same issue I did. Basically, I'm an idiot lol. Issue was because my AD servers are in a security zone and I needed to add a security policy that allowed the management IP address of the Palo into the AD Zone. Once that was added, I get a connected status in Server Monitoring and User ID mapping is now working.

I am completely at a loss on how to make agentless User-ID work from my PA 850, running 9.1.8.

I have followed ALL of the instructions, including that verifying the service account is in the Distributed COM Users, Event Log Readers, and Server Operators groups. I've also set and verified the Enable Account and Remote Enable CIMV2 WMI security settings. I've verified that the username/password is good on the service account and the account is not locked. EDIT: I've also verified that the Windows Firewall on the DC's are not blocking WMI, and that the WMI service is running.

I get the following errors, showing it's not connected to my domain controller:

show user server-monitor statistics

Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
[AD Server FQDN] AD [AD Server FQDN] vsys1 Not connected
[AD Server 2 FQDN] AD [AD Server 2 FQDN] vsys1 Not connected

From the log:

2021-04-26 10:56:46.639 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

Am I missing anything? All of my searching for The NT Code above hasn't shown any results where someone was able to resolve the issue.

Re: Agentless User-ID Not Connected

BPry — Mon, 26 Apr 2021 18:29:38 GMT

@BrandonStiefel1,

Have you run something like WBEMTEST on a Windows system to mirror how you have the PA configured to verify 100% that it's not an issue with the service permissions? That would be the first place I would look, because usually this is caused by a permissions issue.

Next, run a packet capture on the DC and see if you are seeing the WMI traffic from the firewall. That's step two, as you could just as easily be running into a communication issue.

Re: Agentless User-ID Not Connected

BrandonStiefel1 — Mon, 26 Apr 2021 20:33:17 GMT

After posting this I did try the WBEMTEST and get an error that "The Remote procedure call failed and did not execute." So I'm thinking the issue is something to do with WMI not correctly running on the domain controller.

Our Domain Controller is Server Core, so I can't directly modify the WMI permissions. If I use a server with a GUI and connect to the WMI properties, I only get the "root" and not the full structure where you can set the root/cimv2 settings. I did however find a powershell script that works to set those permissions, but from my test it looks like something still isn't set correctly. I've restarted the WMI services on the Domain Controller, but no luck with it fixing the issue.

I do get a successful login event on the domain controller for the service account I'm using.

Re: Agentless User-ID Not Connected

reaper — Tue, 27 Apr 2021 12:54:16 GMT

if you make the service account a full domain admin, does that change the behavior? If no, it's not a permission issue and there's something up with the WMI implementation on your server

Re: Agentless User-ID Not Connected (RESOLVED)

jdelio — Wed, 28 Apr 2021 19:12:16 GMT

Please be sure to mark this as resolved so others know.. maybe even going so far as to putting the "solution" in a post and marking that post as an "Accepted solution" so this is "Marked as resolved".

Thanks!

Re: Agentless User-ID Not Connected (RESOLVED)

pharney26 — Fri, 24 Dec 2021 19:54:30 GMT

Where were you able to add the policy? I am having a similar issue with our backup PA. Our primary is synced successfully.