Error message "Unable to extract credentials" in Uacreddebug.log after upgrade to 11.0.0-102

Error message "Unable to extract credentials" in Uacreddebug.log after upgrade to 11.0.0-102

5709
Created On 09/13/23 16:08 PM - Last Modified 04/19/24 22:12 PM


Symptom


  • Error messages similar to below are seen in the UaCredDebug.log (C:\Program Files\Palo Alto Networks\User-Id Credential Agent)
03/27/23 11:17:56:229 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:233 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:237 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:241 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:245 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:249 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:253 [Error  427]: GetNCChanges: 0x00002105 (8453)
03/27/23 11:17:56:254 [Error  716]: Unable to extract credentials.


Environment

Cause


  • Starting from Windows UserID Credential Agent 11.0.0-102, the agent will use a new more efficient method instead of the legacy method. 
  • Due to this change, the credential agent now requires new permissions for both the user (service account) and computer (RODC) so it can utilize the functions to sync/copy password hashes from the Domain Controllers.
  • This feature will also work if the service account has Domain Admin privileges. 
  • The new UIA Credential Agent 11.0.0-102 installed the old permission as the "local system administrator" will not work and the error message is displayed in UaCredDebug.log/
 

Resolution


For Credential Agent 11.0, to add the new permission for user (service account) and computer (RODC), please follow the setup below: 
  1. To add the permissions, go to 'Active Directory Users and Computers' on any Domain Controller. Under 'View', select 'Advanced Features'
screenshot for advance option
  1. Right-click on the domain root (the domain fqdn, i.e. pantac-91-74) in the left pane, and select Properties
  2. Go to the 'Security' tab
    • Make sure that the user and machine account that runs Credential Agent have the following permissions:
      • Replicating Directory Changes
      • Replicating Directory Changes All
      • Replicating Directory Changes in Filtered Set
    • Note: There is a Builtin group called 'Enterprise Read-only Domain Controllers' which is recommended by Microsoft for DRS access denied errors, but this would give permissions to all RODC's. Access should be granted on the principle of least privilege, so click 'Add' and change the object type to 'Computers' and find the RODC
screenshot for adding privilege on RODC
  • Then add the permission for the Computer object
screenshot for adding permission
  1. Repeat the same process applies to the Service Account being used in the User-ID agent but with the default object types (which include 'Users').

Additional Information


Microsoft document
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2ClCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail