User ID credential phishing service does not work on Full Domain controller

User ID credential phishing service does not work on Full Domain controller

9367
Created On 03/05/19 17:34 PM - Last Modified 03/13/21 03:35 AM


Symptom


User ID credential service does not work on Full Domain controller

Environment


  • PAN-OS 8.0 and above.
  • Palo Alto Firewall.
  • Windows Server 2012 R2 / Windows Server 2016 or 2019.

Cause


  • User ID credential service add-on is not able to read the data from the cache of Full Domain Controller.
  • The data is not stored in Full DC (Domain controller)  compared to the RODC ( Read-only Domain controller) where the details are pulled from the cache.

Resolution


For the User ID credential phishing agent to work correctly it has to be installed on Read-Only Domain controller.
 

Additional Information


Configure Credential Detection with the Windows User-ID Agent

Note: Error messages can be seen in the User-ID agent folder of the Domain Controller.  Check the log "UaCredDebug", to see the message "Error: Unable to extract credentials"
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000boGs&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language