User-ID server monitor access denied

User-ID server monitor access denied

29625
Created On 07/14/22 19:06 PM - Last Modified 03/16/23 19:36 PM


Symptom


  • Observed "access denied" error in system log (show log system) and useridd log (less mp-log useridd.log).
  • Verified the remote connectivity from Windows client to Active Directory (Domain Controller) server.
  • To take packet capture on Firewall for the connection to AD server.
In the flow graph, we can find AD server responding access denied for the Distributed Computing Environment / Remote Procedure Call (DCE/RPC) request sent by Firewall.

Screenshot 2022-07-15 at 2.47.08 AM.png

DCE/ RPC Request

Screenshot 2022-07-15 at 2.51.03 AM.png

DCE/RPC Response - Fault :nca_s_fault_access_denied

Screenshot 2022-07-15 at 2.51.33 AM.png

Environment


  • Palo Alto Firewall
  • Supported PAN-OS.
  • WMI enabled on Integrated User-ID  
  • Microsoft Windows Server 
Note: WMI (Windows Management Instrumentation) is configured under GUI: Device > User Identification > User Mapping > Server Monitoring > Transport Protocol: 'WMI'

Cause


The fault: nca_s_fault_access_denied message generated by AD server for the RPC request .

Resolution


Check on AD server for the error message "Fault: nca_s_fault_access_denied" and follow the guidelines suggested in the AD server to resolve the message.

Additional Information


Related links :

Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqYFCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language