Server monitoring status flapping between "Access denied" and "Connected" when using WinRM protocol
3552
Created On 03/15/23 18:00 PM - Last Modified 07/27/23 20:25 PM
Symptom
- Connection status flaps between ''Access denied" and "Connected" intermittently under firewall WebUI: Device > User Identification > User Mapping > Server Monitoring.
- Similar messages are also seen in the useridd.log (less mp-log useridd.log).
> less mp-log useridd.log
-0700 Error: pan_user_id_winrm_query(pan_user_id_win.c:2795): Connection failed. response code = 500, error: (null) in vsys 1, server=SRV.lab.local.
-0700 Error: pan_user_id_winrm_query(pan_user_id_win.c:2751): failed to connect to winrm server SRV.lab.local in vsys 1
-0700 Error: pan_user_id_winrm_error(pan_user_id_win.c:2644): HTTP 500: s:Receiverw:InternalErrorThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error.
200 The WS-Management service cannot process the request. The WMI service returned an 'access denied' error. HRESULT 0x8033810400182150859012HRESULTThe WS-Management service cannot process the request. The WMI service returned an 'access denied' error.
Environment
- Palo Alto Firewall
- PAN-OS Integrated User-ID Agent
- Server Monitor
Cause
Caused by the option Enable Session being checked under WebUI: Device > User Identification > User Mapping > Server Monitor
Resolution
- Disable Enable Session by unchecking the option on WebUI: Device > User Identification > User Mapping.
- If this option is enabled, the Dedicated Service account needs to be a member of Server Operator builtin group to read server sessions.