Hi, new to PA here. We just got the firewall and I'm trying to figure out what is the best way to set up User-ID mapping. I don't want to install any agents on the domain controllers and the goal is users can access Internet as long as they log into their computers with their Windows credentials, no other login required. From the User-ID screen, under server monitoring section, there are 3 options to connect to the servers: WMI, winrm-http, winrm-https. What is the best way of doing it? I tried with WMI and it seems to be able to map users but for winrm-http I keep getting access denied under status tab. Also how does kerberos and NTLM play in User-ID mapping? Do they work together with WMI/winrm-http or they are different approaches? Thanks.