Autonomous Digital Experience Management (ADEM) agent isn't connecting with error "Error occurred getting subtenant-id"

Autonomous Digital Experience Management (ADEM) agent isn't connecting with error "Error occurred getting subtenant-id"

1986
Created On 08/02/24 03:57 AM - Last Modified 12/05/25 21:13 PM


Symptom


  • Autonomous Digital Experience Management (ADEM) is configured correctly and enabled on the GlobalProtect side but there is no data available in Strata Cloud manager for experience.
  • The Agent logs "palo_alto_networks_dem_update_service.log" shows following errors. 
    [date-time INFO] Start updating agent.
[date-time WARN] No subtenant-id found...
[date-time EROR] Error occurred getting subtenant-id.
System.Security.Cryptography.CryptographicException: Cryptography_InvalidPadding
   at Internal.Cryptography.UniversalCryptoDecryptor.GetPaddingLength(ReadOnlySpan`1 )
-
-
-
-
[date-time EROR] Error occurred getting subtenant-id.
  • This issue is applicable only to Windows.
  • The GlobalProtect logs file bundle will Not have palo_alto_networks_dem_agent.logpalo_alto_networks_dem_service.log log files. (These missing log files indicate DEM hasn't been able to start up the services to function) 

Environment


  • Prisma Access for Mobile users
  • Autonomous Digital Experience Management (ADEM)
  • Agent version 5.3 or below
  • Windows only

Cause


  • The ADEM agent starts an update process and needs to calculate the Prisma Access  tenant ID to connect to Prisma Access backend in order to download the configuration.
  • The agent uses WMIC windows utility to fetch the device serial number as part of the process.
  • If the WMIC is not enabled/allowed on the windows system or if the BIOS serial number is null (not set), the process to calculate the tenant ID will fail and the logs will show the error provided above.
  • This will cause the agent not to connect.

Resolution


  1. Allow the WMIC to run to fix this issue. Work with your local IT team for that. 
  2. If there are other concerns regarding allowing the WMIC for all processes, Allow it only for process DEMUpdateService.exe
  3. Prisma Access will release a new version of ADEM agent which will use an alternate approach and remove the wmic dependency.
  4. Ensure that the serial number is set in the BIOS.

Additional Information


To confirm you are running into this issue, Run following command in Windows Powershell which will fail (Without Admin privileges) 

wmic bios get serialnumber

Result when "wmic" is unavailable. 


Wmic command failure

Result when the serial number has not been set in the BIOS but wmis ic available.

wmic is available but serial number is not set 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zM3CAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language