PANOS Integrated UserID with WINRM

nileshgurav · ‎03-24-2023

Hello,

I am trying to configure PANOS(10.1.8) Integrated UserID with Wndows AD 2016 (with Kerberos).

I am getting "Access Denied" status under User Mapping --Server Monitoring

I have validated that user is part of below security groups on AD

Distributed COM Users
Event Log Readers
Remote Management Users
Server Operators

I see below logs

Error: pan_user_id_winrm_query(pan_user_id_win.c:2751): failed to connect to winrm server XXXXXX in vsys 1
Error: pan_user_id_winrm_error(pan_user_id_win.c:2644): HTTP 500: s:Senderw:AccessDeniedAccess is denied. Access is denied.
Error: pan_user_id_winrm_query(pan_user_id_win.c:2795): Connection failed. response code = 500, error: (null) in vsys 1, server=XXXXXX

Reffered below KB Articles/ links but could not get through.

https://live.paloaltonetworks.com/t5/general-topics/best-way-of-doing-user-id-mapping-wmi-winrm-http...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2&lang=en_US%E2%80%A...

Any inputs will be appreciated.

BPry · ‎03-24-2023

@nileshgurav,

If the user account has been setup properly now you have to move on to looking at Windows Remote Management itself? Has it been setup on the host to actually run, does the firewall have permission to use it or is it restricted, is the listener actually setup properly?

nileshgurav · ‎05-23-2023

This was resolved by giving user account super admin privilage (domain admin ) on AD as last resort.Thank You.

Unlock your full community experience!

PANOS Integrated UserID with WINRM

PANOS Integrated UserID with WINRM

Show your appreciation!