hey community -
tearing my hair out here...I've set up a RoDC in my environment and added a test group to the allowed password replication group. I've configured the user and credential agents on the RoDC and they say connected to my firewall, and also successfully connect to the other dcs. I can see my user to ip mapping for my test account. On the firewall I've created a User ID agent that shows connected as well.
however, show user credential-filter statistics shows zero entries, I'm also seeing this in the user id logs:
UIA CredentialChecking error: credential enabled but no digest.
What am I missing here? thanks for any advice!!
I should have replied here when I solved this particular issue. For the benefit of others (I don't think this is documented anywhere yet), the version of Credential & User-id agents have to be equal or less than the PAN-OS on the firewalls doing the checking.
thanks for pinging here and reminding me! :)
Hi, found your post and wondered if you could point me in the right direction.
Trying to implement this as well in our environment.
I have build a RODC and installed both programs
Running PAN-OS version 8.1.7
I am running into some problems though.
The User_ID agent runs as a service. At first via the Local System Account but if you configure it to run with a dedicated account it wants to run the service with this account
Although the account is configured to run-as-a-service in the default domain policy it throws in an error when you start the service.
I have used the following instructions to set this up
Are there any additional instructions that I need to follow to implement this correctly on a RODC (Server 2012R2)?
Have you tried walking down your version at all? I'm not running 8.1 at the edge just yet - and I'm wondering if there are bugs in the 8.1. versions? I'm running 8.0.10 right now for both agents - but I'm interested to know if its versioning since I'm headed to 8.1 on the border firewalls really soon.
let me know what you think?
Hi Laura, thanks for your reply.
I have downgraded the client further to version 8.1.5-6.
It appears to be working correctly as long as it runs with the local system account
In the log I see a whole bunch of entries appearing
When I edit the UserIdentification setup and save it, the service starts to run with the RODC_Service account.
This account has the correct priviledges according to this article
But but the service fails to start when started with this new account
06/04/19 11:19:03:448[Error 2382]: Start error -1!! 06/04/19 11:19:03:448[Error 764]: Device listening thread stops timeout! 06/04/19 11:19:45:694[ Info 2357]: ------------Service is being started------------ 06/04/19 11:19:45:694[ Info 2364]: Os version is 6.2.0. 06/04/19 11:19:45:694[Error 675]: Cannot open config reg log key with error 5(Access is denied.
As said, as long as it runs with the system account there are green lights though in the Palo Alto User_ID Agent screen so I will try if I can get a block page when entering corporate credentials.
Still a bit confused how all this works but let's give it a try :-)
Can't seem to get this to work. Whatever I try, the Palo Alto does not detect any user credential submission. Tried various websites and categories to put the URL credential submission to block.
But unfortunately, no luck whatsoever.
I think I am going to put this aside for a while and try some other time.
This is causing to much frustration :-)
@Chacko42 : Thanks for your reply. How would you check this via the commandline? I did a quick Google Search but was not able to find this. Can you advise?
show user user-id-agent state <your RODC agent>
There you shood see hits at
num of bloomfilter requests sent :
num of bloomfilter response received :
In best case, the errors are low or non-existing
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!