User-ID agent 4.1.0 service logon account permissions.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID agent 4.1.0 service logon account permissions.

L1 Bithead

User-ID agent 3.1.0 ran quite happily on our Domain Controller under a regular domain user account (no group membership apart from the default Domain Users, and I guess "Ran as service" was granted automatically during the installation).

The new version of User-ID agent refuses to start the service under that account. No events are loged in Windows Event Log, and none in the UaDebug.txt file either.

Once I granted the service account full access to the "C:\Program Files (x86)\Palo Alto Networks\User-ID Agent" I could se the following errors in the UaDebug file:

11/08/11 23:31:07:575[ Info 1634]: ------------Service is being started------------
11/08/11 23:31:07:575[ Info 1641]: Os version is 6.0.2.
11/08/11 23:31:07:575[Error  510]: Cannot open config reg log key: 5!
11/08/11 23:31:07:575[Error 1659]: Start error -1!!
11/08/11 23:31:07:575[Error  361]: Device listening thread stops timeout!
11/08/11 23:31:07:575[ Info  253]: Log thread stops.
11/08/11 23:31:07:575[ Info  256]: pool(svc pool): thread 5200 exiting
11/08/11 23:31:07:575[ Info  256]: pool(svc pool): thread 3472 exiting
11/08/11 23:31:07:591[ Info  256]: pool(svc pool): thread 5848 exiting
11/08/11 23:31:07:591[ Info  256]: pool(svc pool): thread 5084 exiting
11/08/11 23:31:07:591[ Info 1505]: Service stopped.
11/08/11 23:33:04:279[ Info 1634]: ------------Service is being started------------

The service itself still refuses to start.

My temporary workaround was to add the service account to the Domain Administrators group, but I am not happy with that solution and would like to eventually move the account out of that group (apart from running WMI queries really I see no need for such a high permission level for a service account in this case).

Please advise what other permissions the service account must be granted in order to run successfully.

Cheers,

Arthur

1 accepted solution

Accepted Solutions

You should be able to get around the issue by giving the agent account rights to the HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub tree on the systems registry....

View solution in original post

7 REPLIES 7

L6 Presenter

Hi Arthur,

I resolved the service account issue (not starting) by adding it to the local administrator group where the UID agent resides.

In our case the agent is running on a Domain Controller, which does not have a Local Administrators group by design.

Will speak to Development regarding this issue. I will provide feedback upon receipt of their response.

I found the same to be true (needed to add to local administrators group).  I am hoping to hear this can be relaxed (maybe just some directory permission changes?).

-David

L4 Transporter

I found that problem also in latest version of agent: UaInstall-4.1.1-7.msi

Thank you

You should be able to get around the issue by giving the agent account rights to the HKEY_LOCAL_MACHINE\Software\Palo Alto Networks sub tree on the systems registry....

L0 Member

Had a similar issue and found that the regkey on a 64bit server gets put under HKLM\SOFTWARE\Wow6432Node\Palo Alto Networks

So, rather than making local Administrator, give the service account permissions on the regkey as instructed in the "4.1 User-ID Agent install guide".

Matt

  • 1 accepted solution
  • 7897 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!