WMI access denied in System Logs but Device > User Identification shows connected on all DC's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

WMI access denied in System Logs but Device > User Identification shows connected on all DC's

L3 Networker

Hello,

 

I've seen on my Palo Alto 3220 system logs dashboard applet a ton of Access Denied messages regarding our domain controllers.  However if I go over to Device > User Identification, all 4 of our DC's there are listed as connected in green.  All 4 are Microsoft Active Directory, WinRM-HTTP.  If they are green and connected there, why am I seeing errors in the system logs?

 

01/26 14:29:58 Server monitor dcname(vsys1) is connected

01/26 14:29:58 Server monitor dcname(vsys1): connection failed, HTTP code 500, s:Receiverw:InternalErrorThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. 200The WS-Management service cannot process the request. The WMI service returned an 'access denied' error. H

3 REPLIES 3

L3 Networker

show user ip-user-mapping all showed valid user to IP mappings.

show user server-monitor statistics showed 4 DC's in the connected state, but if you kept running that command over and over you'd see a random DC go to not connected, then access denied, then connected again.  The windows program WBEMTEST with the same service account credentials we use against the DC's launched with no issue.

 

We changed them from WinRM-HTTP to WMI and committed, and no issues since.

 

There's no problem with it on WMI, that's ok to have it set to that method if it works right?

Maybe check the article below and also you may double check the DC config itself as only WBEMTEST may not be enough, also check for network flapping or bottleneck issues or firewall CPU/Memory issues as the integrated WMI agent is causing cpu/memory issues to the firewall. Also the trust between the 4 DC could be in some cases not configured correctly.

 

Agentless User-ID 'access denied' Error in Server Monitor - Knowledge Base - Palo Alto Networks

 

 

Also check for known issues for your firewall version or addresses issues for the versions after your version. Example:

 

Known Issues (paloaltonetworks.com)

 

PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)

L1 Bithead

>> mp useridd.log 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for server1.local failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

>>mp useridd.log 2022-07-22 05:53:28 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server server1.local: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied


We checked this issue further and found the reason as a recent patch release from Microsoft KB5004442 which impacts the WMI transport service used from the FW side.
We checked the same with the Server Team and could correlate the patch installation and the mapping failure timestamps.
A detailed description of the issue along with the resolution is provided in the articles below: 
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA

  • 13826 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!