05-15-2019 10:32 AM
If you think you will need Windows Server 2019 support for User-ID, ask your PA rep to vote for feature request ID# 11012!
We just upgraded all of our domain controllers organization-wide to Server 2019 only to find out that User-ID does not work with Server 2019 DCs. Now we must replace all of the DCs yet again with Server 2016 DCs in order to use User-ID since there is no expected fix date for this issue.
This request will apparently not make it onto the development roadmap until the issue receives the required number of votes. Server 2019 was released for general availability over 6 months ago and was in pre-release availability prior to that, so lack of support from Palo Alto is disappointing.
05-15-2019 12:08 PM
Hello,
Thanks for the heads up, why not just setup a few 2016 servers with the user-id agent on them or use the builtin PAN agentless approach?
Just hinking out loud so you done have to rebuild DC's.
Regards,
05-15-2019 01:09 PM - edited 05-15-2019 01:13 PM
Palo Alto agentless User-ID also doesn't work for me. Same error.
Having just a few 2016 DCs won't capture logon events for the 2019 DCs since the agent needs to watch the security log on each DC. By necessity the agent has to watch every DC to capture every logon event.
Official Palo Alto OS support page for User-ID is here: https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-a...
05-15-2019 01:19 PM
Since everyone in my company uses outlook, we are pointing at our exchange logs instead. Its a quicker failover it they switch lans' etc.
05-15-2019 01:25 PM
I'm glad that's working for you.
That also brings up the point that according to the documentation, Exchange 2019 also is not supported by User-ID. We are not using Exchange 2019 yet but that method for associating users is not workable for our environment regardless.
05-15-2019 02:50 PM
Hi @GabeC
Did you try the windows event log forwarding? I don't know if this is possible or supported from microsoft, but maybe you could forward the security logs from a win2019 dc to a win2016 server and read the logs from there.
Is your feature request maybe also about Terminal Server Agdnt support on windows 2019?
With every version unfortunately it is the same story. I was already waiting more than one year after the release of win2016 until it was supported by paloalto (ok there it was "only" missing support for secure boot and because of a not properly signed driver the agent was not able to run)
05-15-2019 02:59 PM - edited 05-15-2019 02:59 PM
Thanks for the input. Log forwarding is an interesting solution I hadn't considered, but I don't think we'll go that way. We've started rebuilding DCs at 2016 level which will hopefully solve the problem with the least amount of odd workarounds. We don't use Terminal Services but I'd suspect the same issue to apply there since the Event Log subsystem and Security events should be similar on TS 2019 servers.
The error I am seeing in User-ID logs is "The stub received bad data". No further exposition even at Verbose log level.
I'm sorry to hear that Palo Alto sometimes has issues providing solutions upwards of a year after a fully supported Microsoft OS comes out. This isn't an uncommon scenario.
05-15-2019 03:04 PM
I have added this FR ID to the consolidated list of feature requests here in the community: https://live.paloaltonetworks.com/t5/General-Topics/Feature-Request-List/m-p/209128/highlight/true#M...
05-15-2019 03:29 PM - edited 05-15-2019 03:29 PM
Good news-
First replacement 2016 server is up and User-ID has successfully polled the security log for associations.
05-17-2019 04:38 AM - edited 05-17-2019 04:39 AM
Does this only affect the user-id agent or does it also affect Agentless? I'll still e-mail our rep regardless since it seems like a feature that should surely be in by now!
EDIT - Just saw your earlier reply. This blows - our server team has already been planning on upgrading all DCs to 2019 this summer.
05-17-2019 09:10 AM
With agentless, the user interface claims to be "Connected" but I never get any errors in useridd.log on the firewall and it never populates information. Agentless worked first time on Server 2016.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
