This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Credential Phishing with credential submission method as Use Domain Credential Filter

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Credential Phishing with credential submission method as Use Domain Credential Filter

bgunasekar
L1 Bithead

‎05-24-2017 03:47 PM

Hello team,

 

Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work
The user id agent is configured on the writeable domain controller
But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller

The output of show user user-id-agent state SVR-DC2 is attached

 

Kindly verify regarding the same 

 

output.PNG

Regards

Banu Priya

0 Likes Likes
7 REPLIES 7

Brandon_Wertz
L6 Presenter

‎05-25-2017 10:45 AM

When you asked the question, I was thinking the RODC was just a suggestion for security reasons, and the link you tagged actually states as such:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/configure-credenti...

 

"Installing the User-ID agent on an RODC can be useful for a few reasons: access to the domain controller directory is not required to enable credential detection and you can support credential detection for a limited or targeted set of users. Because the directory the RODC hosts is read-only, the directory contents remain secure on the domain controller."

0 Likes Likes

staustin
L2 Linker

‎04-22-2018 03:27 PM

Did you get your issue resolved?

0 Likes Likes

cenders
L3 Networker
In response to Brandon_Wertz

‎06-18-2018 03:36 PM

I'd like to know the same, for I'd like to implement but I don't want to set up an RODC for the sole purpose of supporting this.

0 Likes Likes

OmPrasad
L1 Bithead

‎01-07-2020 05:05 AM

Have you got answer for this ?

 

0 Likes Likes

Remo
L7 Applicator
In response to OmPrasad

‎01-15-2020 12:45 PM

Unfortunately for this feature to work an RODC is required. Starting from windows server 2012 (or maybe even 2008) the password hashes are not readable from an AD joined server and not even on the domaincontroller itself - even obviously the password hashes are available there. The only way to read these hashes is on an RODC.

(I received this answer from PaloAlto Support)

(1)

OmPrasad
L1 Bithead
In response to Remo

‎01-15-2020 10:41 PM

Yes, I tested the same configuring RODC when it was not working on AD. It worked on RODC only.

 

0 Likes Likes

Sec101
L4 Transporter
In response to Remo

‎06-09-2020 11:55 AM

this is exactly what we needed to know.

0 Likes Likes
  • 5641 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks