How to configure Windows User-ID Agent registry settings for legacy compatibility

• By default, User-ID Agent version 11.1.1 uses the winevt API library to connect and read event logs from Domain Controllers.
• This is a change from older versions which used legacy Windows Event Logging APIs.
• This article describes the procedure for reverting to the legacy behavior.

• Windows based User-ID Agent
• Version 11.1.1 or newer.

Two new registry keys were introduced in User-ID Agent 11.1.1: “LegacyEventLog” and “KerberosPreferred”

LegacyEventLog

• This registry key controls which Windows event log APIs the User-ID Agent uses to read Domain Controller security logs.
• Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config

Values:

•  0 (default): use the newer winevt API library
• 1: revert to legacy API library

Steps to revert to legacy API library:

1. Exit the User-ID Agent application

2. Open the Services application and stop the User-ID Agent service.

3. Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config\
4. Right-click “LegacyEventLog” and select “Modify…”.

5. Set the value to 1.

KerberosPreferred

• This registry controls how the User-ID Agent connects to Domain Controllers.
• Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config

Values:

• 0 (default): use Kerberos with a fallback to NTLM authentication
• 1: use Kerberos authentication

Note: If you enable the KerberosPreferred key, Disable the LegacyEventLog key by setting it to 0.

Steps to enforce Kerberos authentication:

1. Exit the User-ID Agent application

2. Open the Services application and stop the User-ID Agent service.

3. Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config
4. Right-click “KerberosPreferred” and select “Modify…”

5. Set the value to 1

6. Start the User-ID Agent.