Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Dedicated Service Account required Active Directory Security Gr... - Knowledge Base - Palo Alto Networks

Dedicated Service Account required Active Directory Security Groups for WinRM Agentless User-ID

99402
Created On 05/26/21 23:30 PM - Last Modified 08/29/23 05:55 AM


Symptom


When configuring Agentless User-ID on PanOS using WinRM, if the service account is not part of the domain admins, the service account will fail as the access will be denied to the WinRM service due to permission issue. The following error will be seen on the firewall in the useridd.log: 

failed to connect to winrm server.
HTTP 500: s:Senderw:AccessDeniedAccess is denied. Access is Denied
Connection failed. response code = 500, error: (null)


Environment


  • Palo Alto Networks Firewall 
  • PanOS 9.0.x or above 
  • Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019


Resolution


If you don't want to or can't add the dedicated service account to the Windows Domain Admins or Administrators group, the service account will need to be added to the following security groups on Windows Domain controller for the service account to have access to WinRM and WMI: 

  • Distributed COM Users
  • Event Log Readers
  • Remote Management Users
  • Server Operators
  • WinRMRemoteWMIUsers__ group

Additionally, if you want to get WMI data via WinRM then the service account will need access to read the CIMV2 namespace on the domain controllers. For more information on CIMV2 namespace please have a look Configure a Service Account for the PAN-OS Integrated User-ID Agent

 

 

 

 



Additional Information


If you are running Windows Server 2016 or later, the following built-in local group might be missing "WinRMRemoteWMIUsers__ group". If the group is missing, please involve Microsoft Support on assistance to add the group.  

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language