- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-10-2017 01:19 AM
Hello ;
We have configured Captive Portals with LDAP on a Windows Server and it works perfectly fine but now we have planned to add another different domain in LDAP & User-ID configuration but we have some problems which indicates access denied.
After running the command less mp-log useridd.log it shows the following response on the end of lines.... Please share if anyone has faced the same or Can we configure the User ID Agent on 2 different domains.
Example of different domains (Domain A: Google.com /// Domain B: Amazon.com) while the domain B is the child domain for Domain A and all of the users from Domain B is shown as Domain A.
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_sess_query(pan_user_id_win.c:1463): session query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_ssl_conn_open(pan_ssl_utils.c:615): pan_tcp_sock_open() failed; errno=115
pan_user_id_win_log_query(pan_user_id_win.c:1314): log query for DC3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
pan_user_id_win_get_error_status(pan_user_id_win.c:1031): WMIC message from server DC3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
04-10-2017 08:23 AM
Wanted to post that I moved this discussion from the "Feedback Forum" to the "General Discussion" area, as the Feedback Forum should only be used for Feedback that you have for the Live Community, not any technical questions.
Thanks!
04-10-2017 09:02 AM - edited 04-10-2017 09:06 AM
I have a single UserID Agent running under Windows server accessing several domains.
but unfortunately when it comes to using UserID in policy, because it does access AD via LDAP, we had to create a separate account in each domain.
I could not find a way around it.
if that answers your question
04-10-2017 10:40 AM - edited 04-10-2017 10:42 AM
My company has done the same as @bradk14. I've got UIA using a service account in the "main" AD domain. There is a trust between another forest. So a single instance of UIA with a service account in my main domain can pull logs from multiple domains / forests.
For actual security group enumeration I've got unique LDAP profiles for each domain with service accounts in their respective domains. This allows enumeration of the required security groups and association of those groups in a security rule.
04-10-2017 04:40 PM
Hi ghafar,
Are you running Agentless or Agent-based user-id setup?
If agentless, check useridd.log. If agent-based, check the logs on the agent itself.
The logs you attached seems you have a server configured in Server monitoring which is showing 'Access Denied'. Is that correct?
Regards,
Anurag
04-10-2017 09:11 PM
Thanks for the idea and the problem here is that the Systems Team is telling the new Domain is child domain of the old domain which has already been integrated with PA FW.
Whenever, we check logs for a specific domain it is showing the new domain logs as well but under the old domain which is integrated with Firewall. The Support is telling the user logs in to their own domain but the logs are under another domain...
Domains are different and Servers are different, I have found links on Palo Alto website but it indicates the domains as
A1.abc.com
A2.abc.com
A3.com
but our scenario is like below with completely different DNSs.
abc1.com
xyz.com
04-11-2017 05:32 AM
@Ghafar wrote:
...
but our scenario is like below with completely different DNSs.
abc1.comxyz.com
Sorry maybe I wasn't exactly clear. What you're describing here is exactly what I'm doing in my deployment. I'm not an MCSE by any stretch, but I'm using this terminology (hopefully correctly) because the distinction is important.
I have two unique "Forests" (abc.com / 123.com). Under each of these forests there are child domains. There is a domain trust established between these two "root" forest domains.
In my 'abc.com' "main" domain I have my UIA servers. Which utilizes a service account which exists ONLY in my abc.com domain. This service account is able to read DC logs across both forests and child domains.
I then have unique LDAP profiles created on the firewall for each of the unique domains. These LDAP profiles utilize service accounts which exist only in their respective domains. This piece allows the firewall to enumerate "walk" the domains and utilize the security groups / user IDs desired in the various security policy rules.
I hope that clarified a bit what I was trying to explain before.
09-27-2017 02:00 PM
Thanks Brandon,
I am also working for the solution which you have done before. Could you please give me some idea how you have achived this, so that i can try the same.
04-15-2018 11:46 PM
After my discussions with palo alto TAC they have mentioned that we can configure the User ID on a single domain with other child domains only so we cannot integrate 2 completely different domains...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!