Agentless User-ID Not Connected (RESOLVED)

cancel
Showing results for 
Search instead for 
Did you mean: 

Agentless User-ID Not Connected (RESOLVED)

L0 Member
EDIT: I have resolved my issue... adding this in case someone runs into the same issue I did. Basically, I'm an idiot lol. Issue was because my AD servers are in a security zone and I needed to add a security policy that allowed the management IP address of the Palo into the AD Zone. Once that was added, I get a connected status in Server Monitoring and User ID mapping is now working.

 

I am completely at a loss on how to make agentless User-ID work from my PA 850, running 9.1.8.

 

I have followed ALL of the instructions, including that verifying the service account is in the Distributed COM Users, Event Log Readers, and Server Operators groups. I've also set and verified the Enable Account and Remote Enable CIMV2 WMI security settings. I've verified that the username/password is good on the service account and the account is not locked. EDIT: I've also verified that the Windows Firewall on the DC's are not blocking WMI, and that the WMI service is running.

 

I get the following errors, showing it's not connected to my domain controller:

 

show user server-monitor statistics

Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
[AD Server FQDN]  AD [AD Server FQDN] vsys1 Not connected
[AD Server 2 FQDN] AD [AD Server 2 FQDN] vsys1 Not connected

 

From the log:

2021-04-26 10:56:46.639 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b

 

Am I missing anything? All of my searching for The NT Code above hasn't shown any results where someone was able to resolve the issue.

5 REPLIES 5

Cyber Elite
Cyber Elite

@BrandonStiefel1,

Have you run something like WBEMTEST on a Windows system to mirror how you have the PA configured to verify 100% that it's not an issue with the service permissions? That would be the first place I would look, because usually this is caused by a permissions issue.

Next, run a packet capture on the DC and see if you are seeing the WMI traffic from the firewall. That's step two, as you could just as easily be running into a communication issue. 

After posting this I did try the WBEMTEST and get an error that "The Remote procedure call failed and did not execute." So I'm thinking the issue is something to do with WMI not correctly running on the domain controller.

 

Our Domain Controller is Server Core, so I can't directly modify the WMI permissions. If I use a server with a GUI and connect to the WMI properties, I only get the "root" and not the full structure where you can set the root/cimv2 settings. I did however find a powershell script that works to set those permissions, but from my test it looks like something still isn't set correctly. I've restarted the WMI services on the Domain Controller, but no luck with it fixing the issue.

 

I do get a successful login event on the domain controller for the service account I'm using.

if you make the service account a full domain admin, does that change the behavior? If no, it's not a permission issue and there's something up with the WMI implementation on your server

Tom Piens
PANgurus

Community Team Member

Please be sure to mark this as resolved so others know.. maybe even going so far as to putting the "solution" in a post and marking that post as an "Accepted solution" so this is "Marked as resolved".

Thanks! 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L0 Member

Where were you able to add the policy? I am having a similar issue with our backup PA. Our primary is synced successfully.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!