- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-09-2011 10:49 AM
User-ID agent 3.1.0 ran quite happily on our Domain Controller under a regular domain user account (no group membership apart from the default Domain Users, and I guess "Ran as service" was granted automatically during the installation).
The new version of User-ID agent refuses to start the service under that account. No events are loged in Windows Event Log, and none in the UaDebug.txt file either.
Once I granted the service account full access to the "C:\Program Files (x86)\Palo Alto Networks\User-ID Agent" I could se the following errors in the UaDebug file:
11/08/11 23:31:07:575[ Info 1634]: ------------Service is being started------------
11/08/11 23:31:07:575[ Info 1641]: Os version is 6.0.2.
11/08/11 23:31:07:575[Error 510]: Cannot open config reg log key: 5!
11/08/11 23:31:07:575[Error 1659]: Start error -1!!
11/08/11 23:31:07:575[Error 361]: Device listening thread stops timeout!
11/08/11 23:31:07:575[ Info 253]: Log thread stops.
11/08/11 23:31:07:575[ Info 256]: pool(svc pool): thread 5200 exiting
11/08/11 23:31:07:575[ Info 256]: pool(svc pool): thread 3472 exiting
11/08/11 23:31:07:591[ Info 256]: pool(svc pool): thread 5848 exiting
11/08/11 23:31:07:591[ Info 256]: pool(svc pool): thread 5084 exiting
11/08/11 23:31:07:591[ Info 1505]: Service stopped.
11/08/11 23:33:04:279[ Info 1634]: ------------Service is being started------------
The service itself still refuses to start.
My temporary workaround was to add the service account to the Domain Administrators group, but I am not happy with that solution and would like to eventually move the account out of that group (apart from running WMI queries really I see no need for such a high permission level for a service account in this case).
Please advise what other permissions the service account must be granted in order to run successfully.
Cheers,
Arthur
12-19-2011 09:13 AM
You should be able to get around the issue by giving the agent account rights to the HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub tree on the systems registry....
11-09-2011 11:59 AM
Hi Arthur,
I resolved the service account issue (not starting) by adding it to the local administrator group where the UID agent resides.
11-09-2011 12:12 PM
In our case the agent is running on a Domain Controller, which does not have a Local Administrators group by design.
11-09-2011 05:45 PM
Will speak to Development regarding this issue. I will provide feedback upon receipt of their response.
11-16-2011 01:31 PM
I found the same to be true (needed to add to local administrators group). I am hoping to hear this can be relaxed (maybe just some directory permission changes?).
-David
12-07-2011 11:25 PM
I found that problem also in latest version of agent: UaInstall-4.1.1-7.msi
Thank you
12-19-2011 09:13 AM
You should be able to get around the issue by giving the agent account rights to the HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub tree on the systems registry....
02-14-2012 04:41 AM
Had a similar issue and found that the regkey on a 64bit server gets put under HKLM\SOFTWARE\Wow6432Node\Palo Alto Networks
So, rather than making local Administrator, give the service account permissions on the regkey as instructed in the "4.1 User-ID Agent install guide".
Matt
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!