04-18-2019 02:58 AM
Hello,
Microsoft AD under Server Monitoring is showing as 'not connected.'
We would like to use the PAN-OS Integrated User-ID Agent
Output from debug commands show UserID Debug Log is enabled but nothing is logging.
Anyone encountered similar issue?
05-15-2019 04:29 PM
Yes...PA TAC assisted us in resolving the issue. Below is the case notes.
> less mp-log useridd.log
Looking at User-ID logs, there were repeated logs:
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for sydcwdc01.mainstreambpo.local failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server sydcwdc01.mainstreambpo.local: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
WMI error code 0x80041003 indicates the account does not have permission.
https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants
Please check that the service account (mainstreambpo\palocw) is member of Event Log Readers and Distributed COM Users
Some useful commands related to User-ID:
- Restart User-ID service: debug software restart process user-id
- View server monitor statistics: show user server-monitor statistics
Other than the group membership of service account, kindly also check the WMI permission in every DC server being used under Server Monitoring. This WMI permission is local configuration (not replicated).
Agentless User-ID 'Access Denied' Error In Server Monitor
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC
We checked that we have given all the correct permissions on the WMI side for all our DCs.
We asked for a trace to run to figure out what exactly its failing on when it accesses the AD side of things.
PA TAC provided us the following.
Provided that the WMI permissions are set, can you test to do WMI remote connection using wbemtest?
1. In any windows client (domain member), run wbemtest
2. Default namespace is 'root\cimv2', please change to '\\<dcservername>\root\cimv2'
3. Provide username and password (firewall service account), then click Connect
4. Observe if there is error message when wbemtest is trying to connect to DC server
Link: https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-...
This fixed the issue!
04-18-2019 04:38 AM
did you follow this guide?:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0
04-18-2019 04:42 AM
05-15-2019 09:29 AM
Hello,
Did you find the solution for this issue?
05-15-2019 04:29 PM
Yes...PA TAC assisted us in resolving the issue. Below is the case notes.
> less mp-log useridd.log
Looking at User-ID logs, there were repeated logs:
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for sydcwdc01.mainstreambpo.local failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server sydcwdc01.mainstreambpo.local: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
WMI error code 0x80041003 indicates the account does not have permission.
https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants
Please check that the service account (mainstreambpo\palocw) is member of Event Log Readers and Distributed COM Users
Some useful commands related to User-ID:
- Restart User-ID service: debug software restart process user-id
- View server monitor statistics: show user server-monitor statistics
Other than the group membership of service account, kindly also check the WMI permission in every DC server being used under Server Monitoring. This WMI permission is local configuration (not replicated).
Agentless User-ID 'Access Denied' Error In Server Monitor
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC
We checked that we have given all the correct permissions on the WMI side for all our DCs.
We asked for a trace to run to figure out what exactly its failing on when it accesses the AD side of things.
PA TAC provided us the following.
Provided that the WMI permissions are set, can you test to do WMI remote connection using wbemtest?
1. In any windows client (domain member), run wbemtest
2. Default namespace is 'root\cimv2', please change to '\\<dcservername>\root\cimv2'
3. Provide username and password (firewall service account), then click Connect
4. Observe if there is error message when wbemtest is trying to connect to DC server
Link: https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-...
This fixed the issue!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
