Useridd logs display "UIA Credentail error: credential enabled but no digest"
7842
Created On 03/12/23 21:51 PM - Last Modified 10/21/24 19:24 PM
Symptom
- After enabling the domain credential filter using User-ID credential agent on the firewall, you may notice a constant error under useridd.log (less mp-log useridd.log) as "Credentail error: credential enabled but no digest"
>tail follow yes mp-log useridd.log 0500 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10881): UIA Credentail error: credential enabled but no digest. 0500 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10881): UIA Credentail error: credential enabled but no digest. - User-ID Agent state on the firewall shows "Credential Enforcement Status : Enabled and Pending"
>show user user-id-agent state Credentail Agent: Credentail(vsys: vsys1) Host: 172.16.3.253(172.16.3.253):5007 Status : conn:idle Version : 0x5 SSL config : Default certificates num of connection tried : 4 num of connection succeeded : 4 num of connection failed : 0 num of status msgs rcvd : 216 num of request of status msgs sent : 216 .....(Output Omitted)..... Failed to send messages : 0 Failed to enqueue messages : 0 Queued sending msgs with priority 0 : 0 Queued sending msgs with priority 1 : 0 Queued rcvring msgs with priority 0 : 0 Queued rcvring msgs with priority 1 : 0 Credential Enforcement Status : Enabled and Pending Last BF digest received(seconds ago) : 929 Last BF request sent(seconds ago) : 1124 Last BF updated(seconds ago) : 1124 Current BF digest : 211700230e5bce5a1aac4bed92c254c6 - Under UaCredDebug logs (C:\Program Files\Palo Alto Networks\User-Id Credential Agent) it shows "Failed to bind to LDAP server" and "No DN specified. Not refreshing" constantly
[Error 542]: ldap_connect(_uidsvc@domain.com) return(49) : ÐàÝ [Error 1073]: pan_ldap_bind() failed [Debug 1096]: Disconnect ldap from '127.0.0.1' [Error 1880]: ldap connect failed: HàÝ [Error 1689]: Failed to bind to LDAP server [ Warn 613]: No DN specified. Not refreshing. [Error 696]: Failed to update user list [Debug 798]: Parsing message... [Debug 873]: Received request for BF. [ Info 667]: Sent BF to UaService. 0829f71740aab1ab98b33eae21dee122 [ Warn 613]: No DN specified. Not refreshing. [Error 696]: Failed to update user list [ Warn 613]: No DN specified. Not refreshing. [Error 696]: Failed to update user list [ Warn 613]: No DN specified. Not refreshing. [Error 696]: Failed to update user list - While stopping the User-ID Credentials Agent service on RODC, we get "Error 1067: The Process terminated unexpectedly"
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- User-ID Agent
- User-ID Credentials Agent
- Microsoft RODC
Cause
- Based on the above logs, the issue was caused due to the service account being disabled or locked out
- "ldap_connect(_uidsvc@domain.com) return(49)" Error was due to the Distinguished Name (DN) or the password is invalid
Resolution
- Verify if the service account is disabled or locked out. In the below UserID Service account, we can see the account was locked out
- Unlock the service account if it's locked
- Enable the Account if it's disabled