If you think you will need Windows Server 2019 support for User-ID, ask your PA rep to vote for feature request ID# 11012!
We just upgraded all of our domain controllers organization-wide to Server 2019 only to find out that User-ID does not work with Server 2019 DCs. Now we must replace all of the DCs yet again with Server 2016 DCs in order to use User-ID since there is no expected fix date for this issue.
This request will apparently not make it onto the development roadmap until the issue receives the required number of votes. Server 2019 was released for general availability over 6 months ago and was in pre-release availability prior to that, so lack of support from Palo Alto is disappointing.
Thanks for the heads up, why not just setup a few 2016 servers with the user-id agent on them or use the builtin PAN agentless approach?
Just hinking out loud so you done have to rebuild DC's.
Palo Alto agentless User-ID also doesn't work for me. Same error.
Having just a few 2016 DCs won't capture logon events for the 2019 DCs since the agent needs to watch the security log on each DC. By necessity the agent has to watch every DC to capture every logon event.
Official Palo Alto OS support page for User-ID is here: https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-a...
Since everyone in my company uses outlook, we are pointing at our exchange logs instead. Its a quicker failover it they switch lans' etc.
I'm glad that's working for you.
That also brings up the point that according to the documentation, Exchange 2019 also is not supported by User-ID. We are not using Exchange 2019 yet but that method for associating users is not workable for our environment regardless.
Did you try the windows event log forwarding? I don't know if this is possible or supported from microsoft, but maybe you could forward the security logs from a win2019 dc to a win2016 server and read the logs from there.
Is your feature request maybe also about Terminal Server Agdnt support on windows 2019?
With every version unfortunately it is the same story. I was already waiting more than one year after the release of win2016 until it was supported by paloalto (ok there it was "only" missing support for secure boot and because of a not properly signed driver the agent was not able to run)
Thanks for the input. Log forwarding is an interesting solution I hadn't considered, but I don't think we'll go that way. We've started rebuilding DCs at 2016 level which will hopefully solve the problem with the least amount of odd workarounds. We don't use Terminal Services but I'd suspect the same issue to apply there since the Event Log subsystem and Security events should be similar on TS 2019 servers.
The error I am seeing in User-ID logs is "The stub received bad data". No further exposition even at Verbose log level.
I'm sorry to hear that Palo Alto sometimes has issues providing solutions upwards of a year after a fully supported Microsoft OS comes out. This isn't an uncommon scenario.
I have added this FR ID to the consolidated list of feature requests here in the community: https://live.paloaltonetworks.com/t5/General-Topics/Feature-Request-List/m-p/209128/highlight/true#M...
Does this only affect the user-id agent or does it also affect Agentless? I'll still e-mail our rep regardless since it seems like a feature that should surely be in by now!
EDIT - Just saw your earlier reply. This blows - our server team has already been planning on upgrading all DCs to 2019 this summer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!