04-01-2020 10:09 AM
Hi all. Running in a Windows domain with Server 2019 DC's. I set up the firewall to use the PAN-OS Integrated User-ID agent using Kerberos and WinRM-http using the TechDoc for guidance, and was also running into the "Access Denied" error (HTTP 500: s:Senderw:AccessDeniedAccess is denied. Access is denied.). After some troubleshooting on the server, I determined that the service account was authenticating successfully using Kerberos, but was failing when submitting the WQL query to pull the user/IP data.
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="dc.mydomain.com"><f:Message>Access is denied. </f:Message></f:WSManFault>
In the end, I figured out that the service account needs to belong to the 'Remote Management Users' group in AD to allow WinRM connections from the firewall to query WMI. This is because the service account (as configured per the TechDoc) is not an administrator on the domain, and by default PowerShell Remoting requires admin privileges.
There could be negative security implications to granting the service account this level of access. I have not looked into this issue yet, but additional restrictions may be needed to ensure that this account can't be abused.
Thanks!
