This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User ID Agent all DCs in connecting (Access is denied) status after migrating from Win 2012 to Win 2019 Server

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User ID Agent all DCs in connecting (Access is denied) status after migrating from Win 2012 to Win 2019 Server

JamshedDayar
L1 Bithead

‎01-07-2024 09:42 PM

Hi all

 

We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012. 

 

There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above. 

 

We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc

 

Anyone can shed a light on how further we can tshoot this problem. 

 

 

The specific error on the log file is

 

Error 115 : Cannot open security log for XYZ. Access is denied.

 

JamshedDayar_1-1704692360221.png

User-ID 

 

 

User-ID
Thumbnail of User-ID
Palo Alto Networks
User-ID
Network Security
View on Product Page
3 people had this problem.
0 Likes Likes
7 REPLIES 7

BPry
Cyber Elite
Cyber Elite

‎01-08-2024 01:45 PM

@JamshedDayar,

I'd verify with whoever is running those servers that you don't have IP restrictions that weren't updated for the 2019 host on the DCs. 

0 Likes Likes

JamshedDayar
L1 Bithead
In response to BPry

‎01-08-2024 09:43 PM

Hi Bpry,

 

Incase of any restrictions, why UIA is still able to fetch all the updated information regarding user to ip mapping. This is the point that is confusing us. Anyway can you elaborate where I can ask the server team to check for these restrictions.

 

0 Likes Likes

Brandon_Wertz
L6 Presenter

‎01-09-2024 06:43 AM

@JamshedDayar wrote:

Hi all

 

We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012. 

 

There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above. 

 

We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc

 

Anyone can shed a light on how further we can tshoot this problem. 

 

 

The specific error on the log file is

 

Error 115 : Cannot open security log for XYZ. Access is denied.

 

JamshedDayar_1-1704692360221.png

User-ID 

 

 

Your comments are a little confusing.  You have UIA installed on 2012 member servers previously.  You have a new 2019 member server that has UIA installed on it.

 

It's the UIA on the 2019 member server that has lets say 10 domain controllers it's monitoring.  Of those 10 ALL of them sometimes say connected and other times ALL of them say access denied?  Or is there a subset of the 10 that will say access denied?

I would agree with @BPry  -- this is usually because of the service account that's running the UIA doesn't have the needed permissions to read the AD event logs on the DC, or maybe the service account isn't running the UIA software like it needs to be.

 

I would follow the UIA deployment process step by step again.  I bet you resolve your issue.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎01-09-2024 09:04 AM

Hi @JamshedDayar ,

 

I don't know of any Windows issues with the UIA on W2019.  I agree with @Brandon_Wertz that a reinstall of the UIA is your best bet to fix it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

JamshedDayar
L1 Bithead
In response to Brandon_Wertz

‎01-09-2024 09:41 PM

Hi Brandon,

 

Let me clarify.

 

Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues

 

Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )

 

Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ). 

 

We have followed the KB and all local permissions are also granted to service account on new server as well. 

0 Likes Likes

JamshedDayar
L1 Bithead
In response to TomYoung

‎01-09-2024 09:42 PM

Hi Tom,

 

We started with installing 10.2, than moved to version 8 to check if the issue is because of version, than again went for version 11. Nothing resolved the problem.. 

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to JamshedDayar

‎01-10-2024 06:00 AM

@JamshedDayar wrote:

Hi Brandon,

 

Let me clarify.

 

Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues

 

Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )

 

Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ). 

 

We have followed the KB and all local permissions are also granted to service account on new server as well. 

Hrmm...If you're saying you've followed all the steps and the service account is running the software, it's possible there could be some weird issue going on, but that likely will need a support case to truly discover.

 

That said my enviornment is a mix of 3200s, 3400s, and 5250s running 10.1.X and 10.2.X PAN-OS.  I've got 4 UIAs targeting 100+ DCs and 1 credential agent.  We're running UIA software version 10.1.0-21 and we don't have any issues monitoring 2019 DCs.  Maybe try downgrading the UIAs to 10.1?

 

Where Can I Install the User-ID Agent?

https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id...

 

 

Which Servers Can the User-ID Agent Monitor?

https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-a... 

  • 855 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks