About BrandonStiefel1

BrandonStiefel1 · ‎04-26-2021

After posting this I did try the WBEMTEST and get an error that "The Remote procedure call failed and did not execute." So I'm thinking the issue is something to do with WMI not correctly running on the domain controller. Our Domain Controller is Server Core, so I can't directly modify the WMI permissions. If I use a server with a GUI and connect to the WMI properties, I only get the "root" and not the full structure where you can set the root/cimv2 settings. I did however find a powershell script that works to set those permissions, but from my test it looks like something still isn't set correctly. I've restarted the WMI services on the Domain Controller, but no luck with it fixing the issue. I do get a successful login event on the domain controller for the service account I'm using.

BrandonStiefel1 · ‎04-26-2021

EDIT: I have resolved my issue... adding this in case someone runs into the same issue I did. Basically, I'm an idiot lol. Issue was because my AD servers are in a security zone and I needed to add a security policy that allowed the management IP address of the Palo into the AD Zone. Once that was added, I get a connected status in Server Monitoring and User ID mapping is now working. I am completely at a loss on how to make agentless User-ID work from my PA 850, running 9.1.8. I have followed ALL of the instructions, including that verifying the service account is in the Distributed COM Users, Event Log Readers, and Server Operators groups. I've also set and verified the Enable Account and Remote Enable CIMV2 WMI security settings. I've verified that the username/password is good on the service account and the account is not locked. EDIT: I've also verified that the Windows Firewall on the DC's are not blocking WMI, and that the WMI service is running. I get the following errors, showing it's not connected to my domain controller: show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- [AD Server FQDN] AD [AD Server FQDN] vsys1 Not connected [AD Server 2 FQDN] AD [AD Server 2 FQDN] vsys1 Not connected From the log: 2021-04-26 10:56:46.639 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server NTSTATUS: NT code 0xc002001b - NT code 0xc002001b 2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b 2021-04-26 10:56:48.661 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b 2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1590): log query for server failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b 2021-04-26 10:56:48.664 -0500 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1275): WMIC message from server: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b Am I missing anything? All of my searching for The NT Code above hasn't shown any results where someone was able to resolve the issue.

Member Since	‎05-12-2020 10:04 AM
Date Last Visited	‎03-15-2023 10:23 AM
Posts	2
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎03-15-2023 10:23 AM

About BrandonStiefel1

Re: Agentless User-ID Not Connected

Agentless User-ID Not Connected (RESOLVED)

Agentless User-ID Not Connected (RESOLVED)

Re: Agentless User-ID Not Connected

Agentless User-ID Not Connected (RESOLVED)