04-26-2021 09:14 AM - edited 04-28-2021 10:01 AM
I am completely at a loss on how to make agentless User-ID work from my PA 850, running 9.1.8.
I have followed ALL of the instructions, including that verifying the service account is in the Distributed COM Users, Event Log Readers, and Server Operators groups. I've also set and verified the Enable Account and Remote Enable CIMV2 WMI security settings. I've verified that the username/password is good on the service account and the account is not locked. EDIT: I've also verified that the Windows Firewall on the DC's are not blocking WMI, and that the WMI service is running.
I get the following errors, showing it's not connected to my domain controller:
show user server-monitor statistics
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
[AD Server FQDN] AD [AD Server FQDN] vsys1 Not connected
[AD Server 2 FQDN] AD [AD Server 2 FQDN] vsys1 Not connected
From the log:
2021-04-26 10:56:46.639 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
Am I missing anything? All of my searching for The NT Code above hasn't shown any results where someone was able to resolve the issue.
04-26-2021 11:29 AM
Have you run something like WBEMTEST on a Windows system to mirror how you have the PA configured to verify 100% that it's not an issue with the service permissions? That would be the first place I would look, because usually this is caused by a permissions issue.
Next, run a packet capture on the DC and see if you are seeing the WMI traffic from the firewall. That's step two, as you could just as easily be running into a communication issue.
04-26-2021 01:33 PM
After posting this I did try the WBEMTEST and get an error that "The Remote procedure call failed and did not execute." So I'm thinking the issue is something to do with WMI not correctly running on the domain controller.
Our Domain Controller is Server Core, so I can't directly modify the WMI permissions. If I use a server with a GUI and connect to the WMI properties, I only get the "root" and not the full structure where you can set the root/cimv2 settings. I did however find a powershell script that works to set those permissions, but from my test it looks like something still isn't set correctly. I've restarted the WMI services on the Domain Controller, but no luck with it fixing the issue.
I do get a successful login event on the domain controller for the service account I'm using.
04-27-2021 05:54 AM
if you make the service account a full domain admin, does that change the behavior? If no, it's not a permission issue and there's something up with the WMI implementation on your server
04-28-2021 12:12 PM
Please be sure to mark this as resolved so others know.. maybe even going so far as to putting the "solution" in a post and marking that post as an "Accepted solution" so this is "Marked as resolved".
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
