Agentless User-ID 'access denied' Error in Server Monitor

Printer Friendly Page

Issue

While using agentless User-ID setup, the status shows as Access denied under Server Monitoring:
accessdeny.png

 

Cause

Check the useridd.log

  1. Run the following command:
    > less mp-log useridd.log
  2. Go to the end of the file by pressing Shift+G on the keyboard. If the following error appears in the logs, the problem is likely caused by a permissions issue:
    log query for snt016 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.
  3. Also, if the error "NT_STATUS_NET_WRITE_FAULT" appears in the log entries, this indicates a that special character is used in the password of the service account. This password needs to be reset.

 

Resolution

Refer to the following document for the correct setup of the Agentless User-ID: How to Configure Agentless User-ID

 

Check permission settings on Windows 2008/2012 server for WMI event log access by the agentless User-ID:

  • All device users are assigned to a group. This group should be created as a “Universal group”, so it can be used across multiple domains. The newly created group should be added to the built-in group, “Event Log Readers”, to allow reading of security logs of the Active Directory Domain Controller or Microsoft Exchange Server. It should also be added to the “Distributed COM Users” user group to allow remote login via DCOM.
  • If the the user group should be allowed to access the security logs of all domain servers, a corresponding permission can be set via Microsoft Active Directory Group Policy Objects.
    user membership.png

 

WMI Permissions

  • For Windows 2008/2012 server, the permission system to access servers and local resources remotely has been dramatically changed from prior versions. These changes require certain permissions of the WMI APIs in order for User-ID to access security event logs remotely.
  • On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account”, “Remote Enable” and "Read Security" permissions.
    CIMV2.png

GPO Settings

  • Alternatively, in order to allow the newly created user group to access ALL security logs across all domain servers, set the corresponding Group Policy Object instead of individually adding the group to the local groups. This is required, since this permission is a local permission on the servers of the domain.
  • Refer to the following document for the setup of GPO: Using Active Directory GPO to Install the Global Protect Client.

 

If the issue is still not resolved, take packet captures on the Domain Controller to determine the failed authentication and contact Palo Alto Networks support.

 

owner: pvemuri

Comments

I have use the Administartor of the DC,but the status also shows as Access denied under Server Monitoring,and I can see the error "failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object"

Any advice?

Can you make sure the administrator has the CIMV2 permissions on the AD?

If all the permissions listed above in the document are in place, please call us into support and we can take a look for you.

The administrator has the CIMV2 permissions on the AD,I use the xxx\administrator,and it is member of the xxx\administrators ,the xxx\administrators have all permissions

I think the domain administrator have the full permissions and don't need to be added to other user groups such as “Distributed COM Users”  ,“Event Log Readers”.

And I can see the DC have some active connections which come from paloalto if I use the below cmd in our DC server ,but the connections' state were TIME_WAIT.

netstat -ano | find "135"

How to call you  into support , do you mean I need to open a case?

Hello

Yes please. You can call us at Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799 and we will open a case for you to see what is going on.

Small note for integration with Microsoft Exchange 2010 CAS Servers. On each server the Palo Alto service account needs to be in the following groups: "Event Log Readers", "Distributed COM Users", and "Power Users" for querying to work cleanly.

The documentation for the built-in PAN-OS user-ID agent appears to be incomplete.  Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:

  1. Grant the user-ID agent service account "Enable Account" and "Remote Access" permission to the CIMV2 WMI namespace on the Exchange CAS servers.
  2. Add the service account to the local "Event Log Readers" and "Distributed COM Users" groups on the Exchange CAS servers.

I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups.

The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups.  Many probably (and I did) assume that means the groups that are built into the Active Directory domain.  While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.

So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.

I hope this helps others.

You can also set the CIMV2 security across multiple servers via a Powershell script here. https://live.paloaltonetworks.com/docs/DOC-4281

You are enable to set that by the GPO itself, if you wanted to do that you would need to use something like the article described here. https://live.paloaltonetworks.com/docs/DOC-1924

For Server 2012 R2 you need to set the right WMI permissions for agentless user-id monitoring to work.

 

No where does it mention this is needed for Server 2012.  :(    This was not required on Server 2008.

Instructions (also found above in this article):

"Open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account” and “Remote Enable” permissions."

 

 

With the above instructions on windows 2012 server, mapping detection works fine for domain users but not for domain admins.

In order to get WMI for USER-ID (integrated PANOS Agent) working on a DC runinng W2012. We also had to enable "Remote Enable" besides "Enable Account" and "Read Security"

 

Capture.PNG

 

Pls add this to https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/create-a-dedicated-service-a...