User ID credential phishing service does not work on Full Domain controller
Created On 03/05/19 17:34 PM - Last Modified 03/13/21 03:35 AM
User ID credential service does not work on Full Domain controller
- PAN-OS 8.0 and above.
- Palo Alto Firewall.
- Windows Server 2012 R2 / Windows Server 2016 or 2019.
- User ID credential service add-on is not able to read the data from the cache of Full Domain Controller.
- The data is not stored in Full DC (Domain controller) compared to the RODC ( Read-only Domain controller) where the details are pulled from the cache.
For the User ID credential phishing agent to work correctly it has to be installed on Read-Only Domain controller.
Configure Credential Detection with the Windows User-ID Agent
Note: Error messages can be seen in the User-ID agent folder of the Domain Controller. Check the log "UaCredDebug", to see the message "Error: Unable to extract credentials"