User ID credential phishing service does not work on Full Domain controller

User ID credential phishing service does not work on Full Domain controller

4252
Created On 03/05/19 17:34 PM - Last Modified 03/13/21 03:35 AM


Symptom
User ID credential service does not work on Full Domain controller

Environment
  • PAN-OS 8.0 and above.
  • Palo Alto Firewall.
  • Windows Server 2012 R2 / Windows Server 2016 or 2019.


Cause
  • User ID credential service add-on is not able to read the data from the cache of Full Domain Controller.
  • The data is not stored in Full DC (Domain controller)  compared to the RODC ( Read-only Domain controller) where the details are pulled from the cache.


Resolution
For the User ID credential phishing agent to work correctly it has to be installed on Read-Only Domain controller.
 


Additional Information
Configure Credential Detection with the Windows User-ID Agent

Note: Error messages can be seen in the User-ID agent folder of the Domain Controller.  Check the log "UaCredDebug", to see the message "Error: Unable to extract credentials"
 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000boGs&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Attachments
Choose Language