User Mapping - AD access denied

JoHyeonJae · ‎02-07-2023

Hello all,

You are using Microsoft Active Directory, but you receive the following error log:

Useridd.log
>

Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:00.114 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288) : WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:01.111 +0900 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:01.111 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_2: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:02.114 +0900 2023-02-08 06:54:02.114 +0900 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_3 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:02.114 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_1 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:02.114 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_1: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:03.114 +0900 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:03.114 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_2: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:04.115 +0900 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for AD_1 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:04.115 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server AD_1: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

These issues occur even if AD settings are checked and changed based on the link below.
>https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

Has anyone experienced and solved these issues?

TomYoung · ‎02-07-2023

Hi @JoHyeonJae ,

You need to look at the security event viewer on your AD server to see the specific reason the access is denied.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

JoHyeonJae · ‎02-08-2023

@TomYoung

I have looked through the security event viewer on the Server side.

But, there was no evidence to cause it. Is there anything else I can check?

And I found the following article while tracking the error log that occurred. Is it not related to the issue that occurred?

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-...

TomYoung · ‎02-08-2023

Hi @JoHyeonJae ,

So you see the DCOM error on the server? It will be in the system event viewer. Thank you for that URL. It has been updated since I last looked. It looks like this issue -> https://live.paloaltonetworks.com/t5/general-topics/user-identification-and-winrm-on-http/m-p/481674. It sounds like if you apply the patch you will be good, but it may be disabled next month. I think PANW will need to provide a fix by then. Please let me know what you find.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

JoHyeonJae · ‎02-13-2023

@TomYoung

After I went through the log, the error log number generated by the customer PA is 1288,1603 and the error log number written in the URL is 1587,1272.

2023-02-08 06:54:00.114 +0900 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288) : WMIC message from server AD_3: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
2023-02-08 06:54:01.111 +0900 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603😞 log query for AD_2 failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

Can the same issue occur in this case?

Additionally, the customer is using the KB5015808.

Unlock your full community experience!

User Mapping - AD access denied

User Mapping - AD access denied

Show your appreciation!