User-ID for Exchange Permission Issue

Reply
L2 Linker

Re: User-ID for Exchange Permission Issue

Totally concur.  That's not a valid answer for me.

L0 Member

Re: User-ID for Exchange Permission Issue

Definitely followed the document.  My service-account is part of "event log readers" and "server operators." As said before, the User-ID agent works fine with domain controllers.  Something is odd with the connection to Exchange servers.

L0 Member

Re: User-ID for Exchange Permission Issue

John,

I sat down and worked with my Exchange admin.  He added my service account to the Exchange server's local "event log readers" group.  Bam, user-ID agent is now connected.  I haven't dug through the data yet but at least it resolves the error I was receiving.  Hope this helps.

Charlie

L2 Linker

Re: User-ID for Exchange Permission Issue

Thanks Charlie,

I'll talk to my AD/Exchange guy next week and see if that does the trick.

John

Highlighted
L3 Networker

Re: User-ID for Exchange Permission Issue

The documentation for the built-in PAN-OS user-ID agent appears to be incomplete.  Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:

  1. Grant the user-ID agent service account "Enable Account" and "Remote Access" permission to the CIMV2 WMI namespace on the Exchange CAS servers.
  2. Add the service account to the local "Event Log Readers" and "Distributed COM Users" groups on the Exchange CAS servers.

I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups as I have seen suggested in some places.

The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups.  Many probably (and I did) assume that means the groups that are built into the Active Directory domain.  While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.

So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.

I hope this helps others.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!