User-ID Configuration multiple different domains

Reply
L1 Bithead

User-ID Configuration multiple different domains

Hello ;

 

We have configured Captive Portals with LDAP on a Windows Server and it works perfectly fine but now we have planned to add another different domain in LDAP & User-ID configuration but we have some problems which indicates access denied.

 

After running the command less mp-log useridd.log it shows the following response on the end of lines.... Please share if anyone has faced the same or Can we configure the User ID Agent on 2 different domains.

 

Example of different domains (Domain A: Google.com /// Domain B: Amazon.com) while the domain B is the child domain for Domain A and all of the users from Domain B is shown as Domain A.

 


pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_sess_query(pan_user_id_win.c:1463): session query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_ssl_conn_open(pan_ssl_utils.c:615): pan_tcp_sock_open() failed; errno=115
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

 

Community Team Member

Re: User-ID Configuration multiple different domains

Wanted to post that I moved this discussion from the "Feedback Forum" to the "General Discussion" area, as the Feedback Forum should only be used for Feedback that you have for the Live Community, not any technical questions.

Thanks! 

Stay Secure,
Joe
End of line
L4 Transporter

Re: User-ID Configuration multiple different domains

I have a single UserID Agent running under Windows server accessing several domains.

 

but unfortunately when it comes to using UserID in policy, because it does access AD via LDAP, we had to create a separate account in each domain.

 

I could not find a way around it.

 

if that answers your question

 

 

 

 

--
CCNA Security, PCNSE7
L6 Presenter

Re: User-ID Configuration multiple different domains

My company has done the same as @bradk14.  I've got UIA using a service account in the "main" AD domain.  There is a trust between another forest.  So a single instance of UIA with a service account in my main domain can pull logs from multiple domains / forests.

 

For actual security group enumeration I've got unique LDAP profiles for each domain with service accounts in their respective domains.  This allows enumeration of the required security groups and association of those groups in a security rule.

L4 Transporter

Re: User-ID Configuration multiple different domains

Hi ghafar,

 

Are you running Agentless or Agent-based user-id setup?

If agentless, check useridd.log. If agent-based, check the logs on the agent itself.

 

The logs you attached seems you have a server configured in Server monitoring which is showing 'Access Denied'. Is that correct?

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
L1 Bithead

Re: User-ID Configuration multiple different domains

Thanks for the idea and the problem here is that the Systems Team is telling the new Domain is child domain of the old domain which has already been integrated with PA FW.

 

Whenever, we check logs for a specific domain it is showing the new domain logs as well but under the old domain which is integrated with Firewall. The Support is telling the user logs in to their own domain but the logs are under another domain...

 

Domains are different and Servers are different, I have found links on Palo Alto website but it indicates the domains as
A1.abc.com

A2.abc.com

A3.com

but our scenario is like below with completely different DNSs.
abc1.com 

xyz.com

 

 

L6 Presenter

Re: User-ID Configuration multiple different domains


@Ghafar wrote:

 

...

but our scenario is like below with completely different DNSs.
abc1.com 

xyz.com

 

 


Sorry maybe I wasn't exactly clear.  What you're describing here is exactly what I'm doing in my deployment.  I'm not an MCSE by any stretch, but I'm using this terminology (hopefully correctly) because the distinction is important.

 

I have two unique "Forests" (abc.com / 123.com).  Under each of these forests there are child domains.  There is a domain trust established between these two "root" forest domains.

 

In my 'abc.com' "main" domain I have my UIA servers.  Which utilizes a service account which exists ONLY in my abc.com domain.  This service account is able to read DC logs across both forests and child domains.

 

I then have unique LDAP profiles created on the firewall for each of the unique domains.  These LDAP profiles utilize service accounts which exist only in their respective domains.  This piece allows the firewall to enumerate "walk" the domains and utilize the security groups / user IDs desired in the various security policy rules.

 

 

I hope that clarified a bit what I was trying to explain before.

L0 Member

Re: User-ID Configuration multiple different domains

Thanks Brandon,

 

I am also working for the solution which you have done before. Could you please give me some idea how you have achived this, so that i can try the same.

L1 Bithead

Re: User-ID Configuration multiple different domains

After my discussions with palo alto TAC they have mentioned that we can configure the User ID on a single domain with other child domains only so we cannot integrate 2 completely different domains...

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!