Dedicated Service Account required Active Directory Security Groups for WinRM Agentless User-ID

Dedicated Service Account required Active Directory Security Groups for WinRM Agentless User-ID

17383
Created On 05/26/21 23:30 PM - Last Modified 07/28/21 22:39 PM


Symptom

When configuring Agentless User-ID on PanOS using WinRM, if the service account is not part of the domain admins, the service account will fail as the access will be denied to the WinRM service due to permission issue. The following error will be seen on the firewall in the useridd.log: 

failed to connect to winrm server.
HTTP 500: s:Senderw:AccessDeniedAccess is denied. Access is Denied
Connection failed. response code = 500, error: (null)


Environment
  • Palo Alto Networks Firewall 
  • PanOS 9.0.x or above 
  • Windows Server 2012 R2 and Windows Server 2016 


Resolution

If you don't want to or can't add the dedicated service account to the Windows Domain Admins or Administrators group, the service account will need to be added to the following security groups on Windows Domain controller for the service account to have access to WinRM and WMI: 

  • Distributed COM Users
  • Event Log Readers
  • Remote Management Users
  • Server Operators
  • WinRMRemoteWMIUsers__ group

Additionally, if you want to get WMI data via WinRM then the service account will need access to read the CIMV2 namespace on the domain controllers. For more information on CIMV2 namespace please have a look Configure a Service Account for the PAN-OS Integrated User-ID Agent

 

 

 

 



Additional Information

If you are running Windows Server 2016, the following built-in local group might be missing "WinRMRemoteWMIUsers__ group". If the group is missing, please involve Microsoft Support on assistance to add the group.  

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language