User-ID for Exchange Permission Issue

Reply
Highlighted
L2 Linker

User-ID for Exchange Permission Issue

Hi All,

I'm running an agent-based User-ID setup against three AD DCs and two Exchange CAS servers.  Unfortunately, despite having the Event Log Reader permission, I cannot seem to get data from the Exchange servers.  I am successfully getting data from the DCs, but the Exchange servers always show either Connecting or Connecting (A required privilege is not held by the agent.).  Any ideas on whether or not Exchange requires additional permissions?

Thanks,

John

L2 Linker

Re: User-ID for Exchange Permission Issue

Any takers?

NGS
L3 Networker

Re: User-ID for Exchange Permission Issue

https://live.paloaltonetworks.com/message/15865#15865

Be aware that only owa connection can be used, due to Exchange limitation there is no POP3 or IMAP user connection information.

L0 Member

Re: User-ID for Exchange Permission Issue

I am also having this issue.  I have a case open with support but there is no resolution yet.  I am using User-ID agent 5.0.5 and can connect to domain controllers just fine.  The Exchange server connections show "Connecting (A required privilege is not held by the agent.)"  I am attempting to connect to Exchange 2010.]

Any thoughts?

L2 Linker

Re: User-ID for Exchange Permission Issue

Wish I had something to add.  That's the exact problem I'm having, though I'm using 5.0.4.  Please let me know what you find out!

L0 Member

Re: User-ID for Exchange Permission Issue

The closest thing I can find is this:

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27949015.ht...

Scroll all the way to the bottom:

"Ending up not being able to use the event log viewers group and had to add the accout to administrators group."

Perhaps Exchange 2010 doesn't use the "Event Log Readers" group...

L2 Linker

Re: User-ID for Exchange Permission Issue

Huh..my AD/Exchange guy swears up and down this shouldn't be required and that Event Log Readers should be fine...

L5 Sessionator

Re: User-ID for Exchange Permission Issue

Have you had a chance to look at this doc

https://live.paloaltonetworks.com/docs/DOC-3664

L0 Member

Re: User-ID for Exchange Permission Issue

I agree.  PAN support wanted me to add the service-account to the local admin group on the Exchange servers.  I refused and asked him to provide me documentation that this is required.  Least privilege model... right?

L2 Linker

Re: User-ID for Exchange Permission Issue

I have.  The only difference between that doc and our deployment is Server Operators, which won't fly with our AD guys.  The Exchange monitoring, which is not outlined in that document at all, works fine without Server Operators.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!