Dedicated Service Account required Active Directory Security Groups for WinRM Agentless User-ID
Symptom
When configuring Agentless User-ID on PanOS using WinRM, if the service account is not part of the domain admins, the service account will fail as the access will be denied to the WinRM service due to permission issue. The following error will be seen on the firewall in the useridd.log:
failed to connect to winrm server. HTTP 500: s:Senderw:AccessDeniedAccess is denied. Access is Denied Connection failed. response code = 500, error: (null)
Environment
- Palo Alto Networks Firewall
- PanOS 9.0.x or above
- Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Resolution
If you don't want to or can't add the dedicated service account to the Windows Domain Admins or Administrators group, the service account will need to be added to the following security groups on Windows Domain controller for the service account to have access to WinRM and WMI:
- Distributed COM Users
- Event Log Readers
- Remote Management Users
- Server Operators
- WinRMRemoteWMIUsers__ group
Additionally, if you want to get WMI data via WinRM then the service account will need access to read the CIMV2 namespace on the domain controllers. For more information on CIMV2 namespace please have a look Configure a Service Account for the PAN-OS Integrated User-ID Agent.
Additional Information
If you are running Windows Server 2016 or later, the following built-in local group might be missing "WinRMRemoteWMIUsers__ group". If the group is missing, please involve Microsoft Support on assistance to add the group.