Customer has configured Credential Phishing with credential submission method as Use Domain Credential Filter and it does not work
The user id agent is configured on the writeable domain controller
But according to the below document to enable credential detection, must install the Windows-based User-ID agent on an RODC
Wanted to verify if RODC is mandatory to enable credential detection or will it work on writeable domain controller
The output of show user user-id-agent state SVR-DC2 is attached
Kindly verify regarding the same
When you asked the question, I was thinking the RODC was just a suggestion for security reasons, and the link you tagged actually states as such:
"Installing the User-ID agent on an RODC can be useful for a few reasons: access to the domain controller directory is not required to enable credential detection and you can support credential detection for a limited or targeted set of users. Because the directory the RODC hosts is read-only, the directory contents remain secure on the domain controller."
Unfortunately for this feature to work an RODC is required. Starting from windows server 2012 (or maybe even 2008) the password hashes are not readable from an AD joined server and not even on the domaincontroller itself - even obviously the password hashes are available there. The only way to read these hashes is on an RODC.
(I received this answer from PaloAlto Support)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!