Thursday, February 9, 2017

Palo Alto NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

Being able to transparently tie in a particular user to traffic passing through your firewall is a great feature (and fairly common in the current gen of firewalls) - provided you set it up right.

I followed the instructions at
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/62122
and set up the dedicated ldap user on my Windows 2012 R2 domain and assigned it to Distributed COM users, Server Operators, and Event Log readers.  Then I set up the WMI permissions and started seeing the Access Denied next to my discovered domain controllers.  I then SSH'd into the Palo to check the mp-log and useridd.log and ran into the NT_STATUS_ACCESS_DENIED error. After some troubleshooting I realized what I'd messed up - I misread the instructions for the WMI edit.  I had drilled down to 'Security' when the instructions had intended for me to stop at CIMv2 prior to editing the properties.

After fixing my mistake, the access denied message went away.

No comments: