Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Install User-ID Agent and Prevent 'Start service failed ... - Knowledge Base - Palo Alto Networks

How to Install User-ID Agent and Prevent 'Start service failed with error 1069'

106719
Created On 09/25/18 17:19 PM - Last Modified 06/15/23 21:51 PM


Symptom


For the newer version of this article refer to the documentation

Resolution


This article outlines the steps required to install the UserID Agent and account permissions required for it to function properly. If not all access is granted, you may encounter the following error: "Start service failed with error 1069: The service did not start due to a logon failure."

 

In this article the example service account is 'kumar@panrootdc.local'.

 

Error.png

 

 

 

Step 1. Make sure the account  you are using in the User-id agent is part of 'Event log reader' and 'server operator.' In this example "kumar@panrootdc.local" should be part of "server operator", "event log reader"

# Please note that 'server operator' is required for Agent-less UserID. But it is optional for Windows based Used ID agent.

 

mstsc_2017-01-10_06-43-40.png

 

mstsc_2017-01-10_06-46-49.png

 

Step 2. Account should be to log on as a service. Open Administrative Tools, then open Local Security Policy.

 

Local Security Policy.png

 

Go to Local Policies > User Rights Assigment. Find Log on as a service. Double click and add the account to Local Security setting.

Please also make sure  Deny Log on as a service does not have ServiceAccount user listed as a member

User Right Assigment.png

 

Add User Right Assigment.png

 

 

Step 3: Open cmd in Administrator mode and perform a 'gpupdate'. Otherwise, it will take time for the changes to take effect.

 

gpupdate.png

 

Step 4. The account should have permission to the folder where the User ID agent is installed. To give permission, go to the folder where User-ID agent is installed and grant the required permission:

 

PA folder permission.png

PA permission.png

 

 

 

Step 5. The account should have permission to registry: Locate the Palo Alto Networks folder  in

 

Computer\HKEY_LOCAL_MACHINE\Software\Palo Alto Networks

 

OR

 

Computer\HKEY_LOCAL_MACHINE\Software\WOW6432Node\Palo Alto Networks

 

 

Regedit.pngRegPermission.png

 

Step 6. Give proper permission to the account for WMI CIMv2: In 'run' type 'wmimgmt.msc' and hit enter.

 

WMI.pngWMI permission.png

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEuCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language