How to resolve NTLM session error (Access is denied) after failing Kerberos authentication for User-ID Agent monitoring

How to resolve NTLM session error (Access is denied) after failing Kerberos authentication for User-ID Agent monitoring

482
Created On 01/14/26 18:13 PM - Last Modified 04/17/26 21:31 PM


Symptom


  • Session Error (Access is Denied)
  • No logs under the Security Event Viewer on the destination Domain Controller
  • Using IP in the Name field on Service Setup, while using the name in Server Address

Environment


  • Windows User-ID Agent 11.1
  • Windows Server 2022 (User-ID agent)
  • Windows Server 2025 (Domain Controller)
  • Disabled NTLM authentication

Cause


  • For Kerberos authentication to be used, the Domain Controller's name must be specified instead of its IP address.
  • The usage of IP in connection will cause to use NTLM instead of Kerberos

Resolution


Use the Domain Controller (DC) name in both the Name (required) and Server Address field in Windows User-ID Agent Service Setup.

Additional Information


  • NTLM authentication disabled on Domain Controller:

 

  • Confirmation of access denied from wevtutil. Same account/password, but the connection is name vs IP:

  • Successful NTLM login (you will not see any NTLM messages if it is not allowed):

 

  • Successful Kerberos login:

 

  • Successful vs failed connection depending on Name and Server Address:

  • Successful connection Setup:

 

Disabling NTLM on the Domain Controller triggers connection issues with windows based User-ID agent (Connection status: The RPC server is unavailable)

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000oM0dKAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail