Windows Server 2003 with Agentless User ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Server 2003 with Agentless User ID

L0 Member

Hi guys,

 

I am setting up agentless user-id with Windows Server 2003 Active Directory. My PAN-OS version is 8.1.16.

 

For the setup, i've followed the guide here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

 

Currently i am being hit by this error message:

codemsittc_0-1610365644609.png

When I looked up for NT error code 0xc002001b, it shows that RPC had failed.

Requesting for any experts for help on this error.

 

Below are some configurations screenshots that i've done following the guide mentioned above.

1) Creation of service account on the AD with the correct members:

codemsittc_1-1610366073752.png

2) Because it is Windows Server 2003, and does not have "Event Log Readers" in the member group, the panagent service account was added to the group policy below:

codemsittc_3-1610366486241.png

 

3) Panagent permission:

codemsittc_2-1610366325671.png

 

4) Basic config on the palo alto for the agentless user id:

codemsittc_4-1610366632092.png

5) I've also permitted related firewall rules to allow the connection to pass successfully. I do not see any traffic being blocked for traffic between these two IPs. TCP 135, 4266, 389 were permitted.

codemsittc_5-1610366896026.png

6) Other configurations that i've done (forgotten to capture screenshots):

- Service route for User ID set to Eth 1/1 (where AD is located)

- Enable User ID identification for the Zone.

- Tried resetting passwords for the panagent and trying again but still not working.

 

With all these configurations, i am still unable to get the "Status" to show "Connected".

NOTE: I've tried WBEMTEST to test the WMI connection towards the Windows Server 2003 Active Directory (AD) server and it connects without any issue.

 

 

PS: apologies for the blur screenshots.

2 REPLIES 2

Cyber Elite
Cyber Elite

@codemsittc,

The WMIC error you are getting is almost always permissions related on the account being used to read the logs, but 2003 can also run into a memory allocation error that you'll want to watch for even when you get this working. You really shouldn't be setting this up on a machine that hasn't been supported for years.

There's a specific process you need to go through to give non-admin accounts in 2003 the ability to read event logs, I don't think it's as easy as simply plugging them into some GPO. If memory serves properly you actually need to go in and modify some registry settings and the like to get it to function properly. 

 

 

@BPry 

 

Thanks for the inputs.

Any idea what registry setting we are looking at? Or maybe where can i find these information? 

 

Totally agree with not setting it up with old and unsupported servers. However, auditors are tight on us, and justifications just got pushed down.

Would still need to get this set up done regardless.

  • 2606 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!