Agentless user id issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Agentless user id issue

L4 Transporter

i am facing user id issue  it's show connected but some time is not show not connected. when i check the USER-ID log i find this error. please suggest.

 

Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for <Server-IP > failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

2020-09-03 13:09:08.934 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server <Server-IP > : NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

5 REPLIES 5

L1 Bithead

Do you want to set up a team viewer session? I can take a look if you'd like.

Cyber Elite
Cyber Elite

@Joshan_Lakhani,

This is a permission error on the service account.Double check that you've granted the service account used in the WMI configuration the proper permissions on the account.

@BPry 

 

I have check the WMI Permission on service account and all the permission are give on service account.

 

28 17:42:54.567 +0400 Error:  pan_user_id_win_wmic_log_query(pan_user_id_win.c:1588): log query for <Server Name> failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
2020-09-28 17:42:54.567 +0400 Error:  pan_user_id_win_get_error_status(pan_user_id_win.c:1273): WMIC message from server <Server Name>: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
---
2020-09-28 17:38:19.933 +0400 Warning:  pan_user_id_win_log_parse(pan_user_id_win.c:1458): failed to convert time str 20200928133[wmi/wmic.c:216:main()] ERROR: Retrieve result data.
2020-09-28 17:41:05.187 +0400 Warning:  pan_user_id_win_log_parse(pan_user_id_win.c:1458): failed to convert time str 2020[wmi/wmic.c:216:main()] ERROR: Retrieve result data.
---

Regards,

Joshan Lakhani

L0 Member

I am having exactly the same issue. I even tested the account permission via wbemtest and it is OK, yet both the Windows User-ID Agent and Integrated User-ID Agent are not able to connect with any of the Active Directory servers except 1. The communication is also 'allowed' via the firewall. Not sure how to troubleshoot this issue.

L0 Member

 

Here are some of the reference links that helped me resolve my issue. It was basically two fold solution, (a) proper rights assignment on the AD & (b) right patches on the AD as well as on the UserID Agent server.

 

INSTALLING MICROSOFT'S JUNE 8TH 2021 NTLM ELEVATION OF PRIVILEGE VULNERABILITY PATCHES MAY BREAK THE USER-ID AGENT'S CONNECTION TO DOMAIN CONTROLLER(S):
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg

 

Enable Remote WMI Access for a Domain User Account:
https://martellotech.com/blog/enable-remote-wmi-access-for-a-domain-user-account/

 

Server Monitoring Not Connected:
https://live.paloaltonetworks.com/t5/general-topics/server-monitoring-not-connected/td-p/257956

This link helps in WMI testing

 

AGENTLESS USER-ID 'ACCESS DENIED' ERROR IN SERVER MONITOR:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC

This link has the resolution of the Access Denied error.

  • 4535 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!