Palo Alto Networks Knowledgebase: Agentless User-ID 'access denied' Error in Server Monitor
Agentless User-ID 'access denied' Error in Server Monitor
Created On 09/25/18 20:39 PM - Last Updated 12/04/19 17:42 PM
While using agentless User-ID setup, the status shows as Access denied under Server Monitoring:
Check the useridd.log
Run the following command: > less mp-log useridd.log
Go to the end of the file by pressing Shift+G on the keyboard. If the following error appears in the logs, the problem is likely caused by a permissions issue: log query for snt016 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.
Also, if the error "NT_STATUS_NET_WRITE_FAULT" appears in the log entries, this indicates a that special character is used in the password of the service account. This password needs to be reset.
Check permission settings on Windows 2008/2012 server for WMI event log access by the agentless User-ID:
All device users are assigned to a group. This group should be created as a “Universal group”, so it can be used across multiple domains. The newly created group should be added to the built-in group, “Event Log Readers”, to allow reading of security logs of the Active Directory Domain Controller or Microsoft Exchange Server. It should also be added to the “Distributed COM Users” user group to allow remote login via DCOM.
If the the user group should be allowed to access the security logs of all domain servers, a corresponding permission can be set via Microsoft Active Directory Group Policy Objects.
For Windows 2008/2012 server, the permission system to access servers and local resources remotely has been dramatically changed from prior versions. These changes require certain permissions of the WMI APIs in order for User-ID to access security event logs remotely.
On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account”, “Remote Enable” and "Read Security" permissions.
Alternatively, in order to allow the newly created user group to access ALL security logs across all domain servers, set the corresponding Group Policy Object instead of individually adding the group to the local groups. This is required, since this permission is a local permission on the servers of the domain.