User ID Agent all DCs in connecting (Access is denied) status after migrating from Win 2012 to Win 2019 Server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User ID Agent all DCs in connecting (Access is denied) status after migrating from Win 2012 to Win 2019 Server

L1 Bithead

Hi all

 

We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012. 

 

There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above. 

 

We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc

 

Anyone can shed a light on how further we can tshoot this problem. 

 

 

The specific error on the log file is

 

Error 115 : Cannot open security log for XYZ. Access is denied.

 

JamshedDayar_1-1704692360221.png

User-ID 

 

 

7 REPLIES 7

Cyber Elite
Cyber Elite

@JamshedDayar,

I'd verify with whoever is running those servers that you don't have IP restrictions that weren't updated for the 2019 host on the DCs. 

Hi Bpry,

 

Incase of any restrictions, why UIA is still able to fetch all the updated information regarding user to ip mapping. This is the point that is confusing us. Anyway can you elaborate where I can ask the server team to check for these restrictions.

 

L6 Presenter

@JamshedDayar wrote:

Hi all

 

We have installed 10.2 version of UIA in new win 2019 server as our 2012 server would be shutdown soon. The problem is after configuring all the required permissions the agent status overall is connected, but on all our ADs listed in UIA, the status is stuck at connecting and after sometimes we get Access is Denied status as well. The service account used for new UIA is the same as old setup which is working fine on win 2012. 

 

There is a PA in between which has policy to allow such traffic. Surprisingly though the agent is fetching user info from the ADs but we are reluctant to integrate this new setup with PA due to the problem stated above. 

 

We have already tried all the KBs available for such logs/msg like patch upgrade or running it as admin etc etc

 

Anyone can shed a light on how further we can tshoot this problem. 

 

 

The specific error on the log file is

 

Error 115 : Cannot open security log for XYZ. Access is denied.

 

JamshedDayar_1-1704692360221.png

User-ID 

 

 


Your comments are a little confusing.  You have UIA installed on 2012 member servers previously.  You have a new 2019 member server that has UIA installed on it.

 

It's the UIA on the 2019 member server that has lets say 10 domain controllers it's monitoring.  Of those 10 ALL of them sometimes say connected and other times ALL of them say access denied?  Or is there a subset of the 10 that will say access denied?

I would agree with @BPry  -- this is usually because of the service account that's running the UIA doesn't have the needed permissions to read the AD event logs on the DC, or maybe the service account isn't running the UIA software like it needs to be.

 

I would follow the UIA deployment process step by step again.  I bet you resolve your issue.

Cyber Elite
Cyber Elite

Hi @JamshedDayar ,

 

I don't know of any Windows issues with the UIA on W2019.  I agree with @Brandon_Wertz that a reinstall of the UIA is your best bet to fix it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Brandon,

 

Let me clarify.

 

Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues

 

Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )

 

Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ). 

 

We have followed the KB and all local permissions are also granted to service account on new server as well. 

Hi Tom,

 

We started with installing 10.2, than moved to version 8 to check if the issue is because of version, than again went for version 11. Nothing resolved the problem.. 


@JamshedDayar wrote:

Hi Brandon,

 

Let me clarify.

 

Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues

 

Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )

 

Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ). 

 

We have followed the KB and all local permissions are also granted to service account on new server as well. 


Hrmm...If you're saying you've followed all the steps and the service account is running the software, it's possible there could be some weird issue going on, but that likely will need a support case to truly discover.

 

That said my enviornment is a mix of 3200s, 3400s, and 5250s running 10.1.X and 10.2.X PAN-OS.  I've got 4 UIAs targeting 100+ DCs and 1 credential agent.  We're running UIA software version 10.1.0-21 and we don't have any issues monitoring 2019 DCs.  Maybe try downgrading the UIAs to 10.1?

 

Where Can I Install the User-ID Agent?

https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id...

 

 

Which Servers Can the User-ID Agent Monitor?

https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-a... 

  • 2677 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!