How To Verify WMI Remote Connectivity using WBEMTEST
68778
Created On 04/30/19 03:20 AM - Last Modified 07/19/22 03:21 AM
Objective
- Achieve a successful connection from Palo Alto Networks firewall to Active Directory server using an Agentless User-ID method.
- Verify WMI remote connectivity from Windows client to Active Directory (Domain Controller) server.
Environment
- Palo Alto Networks firewall configured with Agentless User-ID method to Microsoft Active Directory server
- Server Monitoring shows access denied for one or more AD server(s)
- Log from useridd.log (less mp-log useridd.log) display the erro message of NT code
Error: pan_user_id_win_sess_query(pan_user_id_win.c:1498): session query for dc03.panlab.test failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1040): WMIC message from server dc03.panlab.test: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
Procedure
- Configuration of Agentless User ID: Configure a Service Account for the PAN-OS Integrated User-ID Agent
- Group membership configured for a service account are replicated to all AD servers in the domain.
- WMI permissions must be configured in every AD server (it is local settings and is NOT replicated to other AD server).
- AD server: dc03.panlab.test
- Service account username: svc_paloalto
To verify WMI remote connectivity to the AD server, one of the available tools is WBEMTEST, which is available on most Windows system.
Run the following steps from any Windows machine (domain member). Do not run from the AD server itself.
- STEP 1: Go to Start, type wbemtest in the Search or Run box
- STEP 2: New window titled 'Windows Management Instrumentation Tester" will be launched. Notice most of the buttons are disabled (greyed out)
- STEP 3: Click Connect
- STEP 4: Specify Namespace: \\dc03.panlab.test\root\cimv2
- STEP 5: Provide service account username svc_paloalto and its password
- STEP 6: Click on Connect
- STEP 7: Observe if there is any Error message displayed (write down Error Number and Error Description and view this article WMI Error Constants)
- STEP 8: On a successful connection, verify the Namespace and all the buttons are enabled (not greyed out)
- The most common error is 0x80041003.
- This code indicates the service account does not have permission to connect WMI remotely.
- Ensure the AD server is configured with proper WMI permissions for that service account (Enable Access, Remote Enable, and Read Security).
Additional Information
For additional information, please review the following resources:
Configure a Service Account for the PAN-OS Integrated User-ID Agent.
Agentless User-ID 'access denied' Error in Server Monitor
Agentless User-ID Error failed to parse security log buf
External links:
Introduction to WBEMTEST
WMI Error Constants