01-26-2022 11:30 AM
Hello,
I've seen on my Palo Alto 3220 system logs dashboard applet a ton of Access Denied messages regarding our domain controllers. However if I go over to Device > User Identification, all 4 of our DC's there are listed as connected in green. All 4 are Microsoft Active Directory, WinRM-HTTP. If they are green and connected there, why am I seeing errors in the system logs?
01/26 14:29:58 Server monitor dcname(vsys1) is connected
01/26 14:29:58 Server monitor dcname(vsys1): connection failed, HTTP code 500, s:Receiverw:InternalErrorThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error. 200The WS-Management service cannot process the request. The WMI service returned an 'access denied' error. H
01-26-2022 01:01 PM - edited 01-26-2022 01:02 PM
show user ip-user-mapping all showed valid user to IP mappings.
show user server-monitor statistics showed 4 DC's in the connected state, but if you kept running that command over and over you'd see a random DC go to not connected, then access denied, then connected again. The windows program WBEMTEST with the same service account credentials we use against the DC's launched with no issue.
We changed them from WinRM-HTTP to WMI and committed, and no issues since.
There's no problem with it on WMI, that's ok to have it set to that method if it works right?
01-30-2022 12:46 AM - edited 01-30-2022 12:49 AM
Maybe check the article below and also you may double check the DC config itself as only WBEMTEST may not be enough, also check for network flapping or bottleneck issues or firewall CPU/Memory issues as the integrated WMI agent is causing cpu/memory issues to the firewall. Also the trust between the 4 DC could be in some cases not configured correctly.
Agentless User-ID 'access denied' Error in Server Monitor - Knowledge Base - Palo Alto Networks
Also check for known issues for your firewall version or addresses issues for the versions after your version. Example:
Known Issues (paloaltonetworks.com)
07-22-2022 01:49 AM
>> mp useridd.log 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1603): log query for server1.local failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
>>mp useridd.log 2022-07-22 05:53:28 2022-07-22 05:53:28.324 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1288): WMIC message from server server1.local: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
We checked this issue further and found the reason as a recent patch release from Microsoft KB5004442 which impacts the WMI transport service used from the FW side.
We checked the same with the Server Team and could correlate the patch installation and the mapping failure timestamps.
A detailed description of the issue along with the resolution is provided in the articles below: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
