Adding certificates for PAN-OS Integrated User-ID Agent WinRM over HTTPS connection may cause Terminal Server Agent connections to fail.

• Adding the necessary certificates for the PAN-OS Integrated User-ID agent WinRM over HTTPS transport protocol causes Terminal Server agent connections to fail.
• This occurs when the Terminal Server agents are using certificates not signed by a Certificate Authority (CA) included in the certificate profile.
• This leads  to the loss of new user-to-IP mappings and affecting user traffic. 
• User-ID logs on the firewall display the following errors.

10:55:45.339 -0700 Error:  pan_ssl_conn_open(pan_ssl_utils.c:843): Error: Failed to Connect to 10.x.x.x(source: 10.y.y.y), SSL error: error:00000000:lib(0):func(0):reason(0)(0)

• The first IP address (in the example above 10.x.x.x) is the Terminal Server agent’s IP address. The second IP address (in the example above 10.y.y.y) is the firewall’s IP address.

• Palo Alto Firewalls or Panorama
• PAN-OS 10.0.x and above
• PAN-OS Integrated User-ID Agent
• Terminal Server Agent

• Starting from PAN-OS 10.0, customers have the ability to add certificates for secure communication between firewalls and agents.
• However, the certificate profile on the firewall is shared between the User-ID agent and Terminal Server agent.
• So, when you add certificates for PAN-OS Integrated User-ID Agent WinRM HTTPS connection, the certificate profile will also affect the connection with the Terminal Server Agent
• The connection to the Terminal Server agent will fail if the certificate cannot be verified.

1. As explained above this is expected behavior because User-ID agent and Terminal Server agent are sharing a certificate profile
2. To prevent this from happening is to have the Terminal Server agent certificate signed by the same root CA cert specified in the cert profile on the firewall.
3. See step 4 (optional) in the documentation: Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
4. Switch the User-ID agent to use WinRM over HTTP. This method does not require the use of a certificate and therefore does not require a certificate profile.