Agentless User-ID 'access denied' Error in Server Monitor

Issue

While using agentless User-ID setup, the status shows as Access denied under Server Monitoring:

Cause

Check the useridd.log

1. Run the following command:
   > less mp-log useridd.log
2. Go to the end of the file by pressing Shift+G on the keyboard. If the following error appears in the logs, the problem is likely caused by a permissions issue:
   log query for snt016 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.
3. Also, if the error "NT_STATUS_NET_WRITE_FAULT" appears in the log entries, this indicates a that special character is used in the password of the service account. This password needs to be reset.

Resolution

Refer to the following document for the correct setup of the Agentless User-ID: How to Configure Agentless User-ID

Check permission settings on Windows 2008/2012 server for WMI event log access by the agentless User-ID:

• All device users are assigned to a group. This group should be created as a “Universal group”, so it can be used across multiple domains. The newly created group should be added to the built-in group, “Event Log Readers”, to allow reading of security logs of the Active Directory Domain Controller or Microsoft Exchange Server. It should also be added to the “Distributed COM Users” user group to allow remote login via DCOM.
• If the the user group should be allowed to access the security logs of all domain servers, a corresponding permission can be set via Microsoft Active Directory Group Policy Objects.
  

WMI Permissions

• For Windows 2008/2012 server, the permission system to access servers and local resources remotely has been dramatically changed from prior versions. These changes require certain permissions of the WMI APIs in order for User-ID to access security event logs remotely.
• On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account”, “Remote Enable” and "Read Security" permissions.
  

GPO Settings

• Alternatively, in order to allow the newly created user group to access ALL security logs across all domain servers, set the corresponding Group Policy Object instead of individually adding the group to the local groups. This is required, since this permission is a local permission on the servers of the domain.
• Refer to the following document for the setup of GPO: Using Active Directory GPO to Install the Global Protect Client.

If the issue is still not resolved, take packet captures on the Domain Controller to determine the failed authentication and contact Palo Alto Networks support.

owner: pvemuri