Access Denied (Server Monitor)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Access Denied (Server Monitor)

L0 Member

I configured the Base name and bind name properly but we facing the following error in putty “pan_user_id_win_get_error_status(pan_user_id_win.c:1130): WMIC message from server AD-Monitor: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied” and  “pan_user_id_win_wmic_log_query(pan_user_id_win.c:1439): log query for AD-Monitor failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied”

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

@shafi.md,

Can you look at the server and verify the setting of 'Network security: LAN Manager authentication level' 

L4 Transporter

@shafi.md 

I presume that you use the build-in User-ID agent. This normally happens, when you have not added the AD account used by the firewall to account with rights to read the WMIC address space.

You need to repeat it on each monitored server:

 

  • Right-click the Windows icon ( png ), Search for wmimgmt.msc, and launch the WMI Management Console.
  • In the console tree, right-click WMI Control and select Properties.
  • Select Security, select RootCIMV2, and click Security.
  • Add the name of the service account you created, Check Names to verify your entry, and click OK.
  • You might have to change the Locations or click Advanced to query for account names. See the dialog help for details.
  • In the Permissions for <Username> section, Allow the Enable Account, and Remote Enable permissions.
  • Click OK twice.
  • Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account to the local Distributed Component Object Model (DCOM) Users and Remote Desktop Users groups on the system that will be probed.

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a...

 

Still Same issue (Access Denied)

 

Output

2019-05-01 08:59:20.280 +0530 Error: pan_user_id_win_wmic_sess_query(pan_user_id_win.c:1588): session query for 192.168.0.212 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

 

I have integrate one more firewall with server 2008, that is working fine,

 

The above error i am getting from firewall after running this command (less mp-log useridd.log), integration with server 2012 r2

L0 Member

I have two problems: 

2021-11-18 12:18:06.656 -0600 Error: pan_user_id_win_wmic_sess_query(pan_user_id_win.c:1748): session query for USER-ID failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

2021-11-18 12:18:06.656 -0600 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server USER-ID: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

 

 

any solution?

L1 Bithead

>> mp useridd.log 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for server1.local failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

>>mp useridd.log 2022-07-22 05:53:28 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server server1.local: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied


We checked this issue further and found the reason as a recent patch release from Microsoft KB5004442 which impacts the WMI transport service used from the FW side.
We checked the same with the Server Team and could correlate the patch installation and the mapping failure timestamps.
A detailed description of the issue along with the resolution is provided in the articles below:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA&lang=en_US%E2%80%A...

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-...

  • 32088 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!