Configured server monitoring using WinRM over HTTP with Kerberos shows not connected

• Configuring WinRM over HTTP with Kerberos shows not connected.
• System logs state " connection failed, Kerberos error ".
• Port 5985 is open on the firewall
• Ping to the Kerberos server is successful.
• Navigate to Device > User identification > Palo Alto Networks User-ID Agent Setup > Server Monitor Account.
  • Configuring IP address in Domain's DNS Name.

•  show system logs:

high     userid         connect 0  Server monitor MHG1DC01V(vsys1): connection failed, Kerberos error
high     userid         connect 0  Server monitor MHG2DC01V(vsys1): connection failed, Kerberos error
high     userid         connect 0  Server monitor MHG1DC01V(vsys1): connection failed, Kerberos error
high     userid         connect 0  Server monitor MHG2DC01V(vsys1): connection failed, Kerberos error           

• Looking at userid.logs

+1000 Error: pan_user_id_krb5_init_ticket(pan_user_id_win.c:2063): failed to get krb5 tgt ticket with error -1765328316.
+1000 Error: pan_user_id_krb5_init_ticket(pan_user_id_win.c:2068): krb5: accout=svcMHG2FW01Vuid, domain=TEST.PALOALTONETWORKS.COM.AU,principal=svcMHG2FW01Vuid@TEST.PALOALTONETWORKS.COM.AU,cached file=/opt/pancfg/.userid/krb5_cache_1_MHG1DC01V_1662698913.
+1000 Error: pan_user_id_krb5_init_ticket(pan_user_id_win.c:2094): krb5 error -1765328316: Realm not local to KDC.
+1000 Warning: pan_user_id_krb5_set(pan_user_id_win.c:2182): failed to acquire krb5 tgt ticket on vsys 1 for server MHG1DC01V.
+1000 Error: pan_user_id_winrm_query(pan_user_id_win.c:2725): failed to prepare winrm connection in vsys 1, server=MHG1DC01V.
+1000 connecting to ldap://[10.31.200.50]:389 ...
+1000 Error: pan_ldap_bind_simple(pan_ldap.c:396): ldap_sasl_bind result return(49) : Invalid credentials
+1000 Error: pan_ldap_ctrl_connect(pan_ldap_ctrl.c:1086): pan_ldap_bind() failed

• PAN-OS 
• USER-ID
• Monitoring using WinRM over HTTP

• Wrong DNS IP address is used in the "Domain's DNS Name" field under Device > User identification > Palo Alto Networks User-ID Agent Setup > Server Monitor Account

1. Enter the DNS name of the monitored server.
2. If you Configure Access to Monitored Servers using Kerberos for server authentication, enter the Kerberos Realm domain

On Windows server, FQDN of Kerberos server can be found under Server Manager->Tools->DNS Manager-><name-of-server>->Forward Lookup Zones-><domain-name>

• HOW TO CONFIGURE WINRM OVER HTTPS WITH BASIC AUTHENTICATION
• DEDICATED SERVICE ACCOUNT REQUIRED ACTIVE DIRECTORY SECURITY GROUPS FOR WINRM AGENTLESS USER-ID