How to configure Windows User-ID Agent registry settings for legacy compatibility

By default, User-ID Agent version 11.1.1 uses the winevt API library to connect and read event logs from Domain Controllers. This is a change from older versions which used legacy Windows Event Logging APIs.

This article describes the procedure for reverting to the legacy behavior.

Windows based User-ID Agent version 11.1.1 or newer.

Two new registry keys were introduced in User-ID Agent 11.1.1: “LegacyEventLog” and “KerberosPreferred”

LegacyEventLog

This registry key controls which Windows event log APIs the User-ID Agent uses to read Domain Controller security logs.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config

Values:
      - 0 (default): use the newer winevt API library

• 1: revert to legacy API library

Steps to revert to legacy API library:

1. Exit the User-ID Agent application

   1. 
2. Open the Services application and stop the User-ID Agent service.
   1. 
3. Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config\
4. Right-click “LegacyEventLog” and select “Modify…”.
   1. 
5. Set the value to 1.
   1. 

KerberosPreferred

This registry controls how the User-ID Agent connects to Domain Controllers.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config

Values:

• 0 (default): use Kerberos with a fallback to NTLM authentication

• 1: use Kerberos authentication

Steps to enforce Kerberos authentication:

1. Exit the User-ID Agent application

   1. 
2. Open the Services application and stop the User-ID Agent service.
   1. 
3. Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks\User-ID Agent\Config
4. Right-click “KerberosPreferred” and select “Modify…”
   1. 
5. Set the value to 1
   1. 

6. Start the User-ID Agent.