User ID agent not starting.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

User ID agent not starting.

L1 Bithead

I am setting up backup user-id agent 8.1.10-2 on Windows 2016 Standard server.

I have given all the required access to the user-id agent admin account but its not working / refusing to start.

I am using the same credential on existing UID agent 7.0.8-13 running on Windows 2008 R2 and it runs fine.

 

I attaching error messgae when starting UID service and corresponding log generated in UID logs.

 

Capture.JPG

 

 

UID Log

 

09/05/19 09:42:52:190[ Info 2357]: ------------Service is being started------------
09/05/19 09:42:52:190[ Info 2364]: Os version is 6.2.0.
09/05/19 09:42:52:190[Error 675]: Cannot open config reg log key with error 5(Access is denied.
)!
09/05/19 09:42:52:190[Error 2382]: Start error -1!!
09/05/19 09:42:52:190[Error 764]: Device listening thread stops timeout

1 accepted solution

Accepted Solutions

L0 Member

Please note that Palo Alto has a mistake in the latest versions of the documentation. 

 

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-ip-addresses-to-users/configu...

 

Step 1, Section 4, Bullet 1 - 

  • Run regedt32 and navigate to the Palo Alto Networks sub-tree in the following location: HKEY_LOCAL_MACHINE\Software\Palo Alto Networks 
It should read
  • Run regedt32 and navigate to the Palo Alto Networks sub-tree in the following location: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks

This cost me about 4 hours this evening trying to figure out why I was getting the same "Cannot open config reg log key with error 5(Access is denied." error. Hopefully it saves someone else some time in the future. The other article referenced above does say it could be "EITHER" of these two locations. However, for me that was incorrect. I stopped looking when I found the first location, but both registry locations actually existed. The first one is related to Global Protect and appears to have no effect on the User ID Agent service. I am running it by only setting permissions on the second location I provided.

 
I willl attempt to contact Palo Alto Networks to have them update the official documentation. 

View solution in original post

10 REPLIES 10

L0 Member

I have exactly the same issue on a Windows Server 2019 member server.  How was this issue resolved? @Nischal 

L0 Member

https://supportcases.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEuCAK

 

Please follow the instructions in the URL provided. It did resolve my issue. 

L6 Presenter

hey, please check if user-id is having administrator level access on the server. I have faced same issue and it was resolved by giving required access level to user-id on the server.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Do you mind sharing the details of your case file here?

L0 Member

L0 Member

The resolution in my case was to provision local admin rights to the service account.  I hope this helps. 

L0 Member

Hello Guys,

Facing same issue on my user-Id agent software. Unable to start the service. All the admin access are provided.

Any resolution ?

L0 Member

Please note that Palo Alto has a mistake in the latest versions of the documentation. 

 

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-ip-addresses-to-users/configu...

 

Step 1, Section 4, Bullet 1 - 

  • Run regedt32 and navigate to the Palo Alto Networks sub-tree in the following location: HKEY_LOCAL_MACHINE\Software\Palo Alto Networks 
It should read
  • Run regedt32 and navigate to the Palo Alto Networks sub-tree in the following location: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks

This cost me about 4 hours this evening trying to figure out why I was getting the same "Cannot open config reg log key with error 5(Access is denied." error. Hopefully it saves someone else some time in the future. The other article referenced above does say it could be "EITHER" of these two locations. However, for me that was incorrect. I stopped looking when I found the first location, but both registry locations actually existed. The first one is related to Global Protect and appears to have no effect on the User ID Agent service. I am running it by only setting permissions on the second location I provided.

 
I willl attempt to contact Palo Alto Networks to have them update the official documentation. 

This is the fix! Thank you Stephan!

  • Give the service account permissions to the User-ID Agent registry sub-tree:
     
  • Run 
    regedt32
     and navigate to the Palo Alto Networks sub-tree in the following location: 
    HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks
    .
  •  
  • Right-click the Palo Alto Networks node and select 
    Permissions
    .
  •  
  • Assign the User-ID service account 
    Full Control
     and then click 
    OK
     to save the setting.
  •  

A thousand blessings upon you!
You rock
Thank ya

  • 1 accepted solution
  • 16300 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!