How To Verify WMI Remote Connectivity using WBEMTEST

How To Verify WMI Remote Connectivity using WBEMTEST

50321
Created On 04/30/19 03:20 AM - Last Modified 07/19/22 03:21 AM


Objective
  • Achieve a successful connection from Palo Alto Networks firewall to Active Directory server using an Agentless User-ID method.
  • Verify WMI remote connectivity from Windows client to Active Directory (Domain Controller) server.


Environment
  • Palo Alto Networks firewall configured with Agentless User-ID method to Microsoft Active Directory server
  • Server Monitoring shows access denied for one or more AD server(s)
  • Log from useridd.log (less mp-log useridd.log) display the erro message of NT code
Error: pan_user_id_win_sess_query(pan_user_id_win.c:1498): session query for dc03.panlab.test failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1040): WMIC message from server dc03.panlab.test: NTSTATUS: NT code 0x80041003 - NT code 0x80041003


Procedure
In this example, we are using the following parameters:
  • AD server: dc03.panlab.test
  • Service account username: svc_paloalto

To verify WMI remote connectivity to the AD server, one of the available tools is WBEMTEST, which is available on most Windows system.

Run the following steps from any Windows machine (domain member). Do not run from the AD server itself.
  1. STEP 1: Go to Start, type wbemtest in the Search or Run box
  2. STEP 2: New window titled 'Windows Management Instrumentation Tester" will be launched. Notice most of the buttons are disabled (greyed out)
  3. STEP 3: Click Connect
WMI Test window
  1. STEP 4: Specify Namespace: \\dc03.panlab.test\root\cimv2
  2. STEP 5: Provide service account username svc_paloalto and its password
  3. STEP 6: Click on Connect
Specify Namespace and Service Account
  1. STEP 7: Observe if there is any Error message displayed (write down Error Number and Error Description and view this article WMI Error Constants)
  2. STEP 8: On a successful connection, verify the Namespace and all the buttons are enabled (not greyed out)
Successful WMI remote
  • The most common error is 0x80041003.
  • This code indicates the service account does not have permission to connect WMI remotely.
  • Ensure the AD server is configured with proper WMI permissions for that service account (Enable Access, Remote Enable, and Read Security).


Additional Information
For additional information, please review the following resources:
Configure a Service Account for the PAN-OS Integrated User-ID Agent.
Agentless User-ID 'access denied' Error in Server Monitor
Agentless User-ID Error failed to parse security log buf

External links:
Introduction to WBEMTEST
WMI Error Constants


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs2CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language