05-21-2013 01:44 PM
Hi All,
I'm running an agent-based User-ID setup against three AD DCs and two Exchange CAS servers. Unfortunately, despite having the Event Log Reader permission, I cannot seem to get data from the Exchange servers. I am successfully getting data from the DCs, but the Exchange servers always show either Connecting or Connecting (A required privilege is not held by the agent.). Any ideas on whether or not Exchange requires additional permissions?
Thanks,
John
05-26-2013 03:08 AM
https://live.paloaltonetworks.com/message/15865#15865
Be aware that only owa connection can be used, due to Exchange limitation there is no POP3 or IMAP user connection information.
06-26-2013 11:02 AM
I am also having this issue. I have a case open with support but there is no resolution yet. I am using User-ID agent 5.0.5 and can connect to domain controllers just fine. The Exchange server connections show "Connecting (A required privilege is not held by the agent.)" I am attempting to connect to Exchange 2010.]
Any thoughts?
06-26-2013 11:08 AM
Wish I had something to add. That's the exact problem I'm having, though I'm using 5.0.4. Please let me know what you find out!
06-26-2013 11:14 AM
The closest thing I can find is this:
Scroll all the way to the bottom:
"Ending up not being able to use the event log viewers group and had to add the accout to administrators group."
Perhaps Exchange 2010 doesn't use the "Event Log Readers" group...
06-26-2013 11:19 AM
Huh..my AD/Exchange guy swears up and down this shouldn't be required and that Event Log Readers should be fine...
06-26-2013 11:22 AM
Have you had a chance to look at this doc
06-26-2013 11:22 AM
I agree. PAN support wanted me to add the service-account to the local admin group on the Exchange servers. I refused and asked him to provide me documentation that this is required. Least privilege model... right?
06-26-2013 11:25 AM
I have. The only difference between that doc and our deployment is Server Operators, which won't fly with our AD guys. The Exchange monitoring, which is not outlined in that document at all, works fine without Server Operators.
06-26-2013 11:26 AM
Totally concur. That's not a valid answer for me.
06-26-2013 11:28 AM
Definitely followed the document. My service-account is part of "event log readers" and "server operators." As said before, the User-ID agent works fine with domain controllers. Something is odd with the connection to Exchange servers.
07-10-2013 12:39 PM
John,
I sat down and worked with my Exchange admin. He added my service account to the Exchange server's local "event log readers" group. Bam, user-ID agent is now connected. I haven't dug through the data yet but at least it resolves the error I was receiving. Hope this helps.
Charlie
07-19-2013 02:49 PM
Thanks Charlie,
I'll talk to my AD/Exchange guy next week and see if that does the trick.
John
06-03-2015 08:06 AM
The documentation for the built-in PAN-OS user-ID agent appears to be incomplete. Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:
I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups as I have seen suggested in some places.
The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups. Many probably (and I did) assume that means the groups that are built into the Active Directory domain. While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.
So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.
I hope this helps others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
