02-22-2022 03:18 AM
Hello, I'd like to request some advice on trying to shift away from WMI to WinRM-HTTP/S based User-ID.
I followed the set-up guide by Palo and User-ID server monitoring is able to connect to the domain controller over WinRM-HTTP, but only every hour. If I set session monitoring to something less than 3600 seconds, each attempt by the user-id service to get data from the DC is registered as the following error:
2022-02-21 23:51:04.488 -0500 Error: pan_user_id_winrm_query(pan_user_id_win.c:2736): failed to connect to winrm server http1 in vsys 1
2022-02-21 23:51:04.488 -0500 Error: pan_user_id_winrm_query(pan_user_id_win.c:2780): Connection failed. response code = 401, error: (null) in vsys 1, server=http1.
Then at the hour from the last successful connect it will connect again and get the data from the DC. So the system logs look like this with session monitor set to 20 minutes:
01:35 - Server monitor connected
01:50 - Server monitor connection failed, HTTP code 401, (null)
02:10 - Server monitor connection failed, HTTP code 401, (null)
02:30 - Server monitor connection failed, HTTP code 401, (null)
02:35 - Server monitor connected
Does anyone know if there are more settings that need to be set on the DC that are not in the documentation?
Did not see any logs of use on the DC side that would clarify the issue