PAN User-ID with WinRM and Minimal AD Privileges
Step-by-step guide to configuring a secure, least-privilege AD account for Palo Alto User-ID using WinRM over HTTP (tested with PAN-OS 11.1.6-h3 and Windows Server 2022)
This procedure describes how to configure a dedicated, minimum-privilege AD user account to be used by a Palo Alto firewall for User-ID mapping using WinRM over HTTP.
Goal
Enable the firewall to monitor user logon events on a domain controller (DC) using a least-privileged service account and WinRM without requiring domain admin rights.
1. Create a Service Account
- Create a user account in AD (e.g.,
svc-pan-userid) - Set: Password never expires
- No admin or elevated roles
- Add the account to the Domain Users group
2. Add the Account to These Local Groups on Each DC
| Group | Purpose |
|---|---|
| Event Log Readers | Read Security log (required for login event mapping) |
| Remote Management Users | Allow WinRM session access |
| Performance Monitor Users | Grants WMI namespace access (root\cimv2) |
🛠Tip: Use GPO or a script to add the account to these groups on all DCs.
3. Grant WMI Namespace Permissions (Automatically Done by Group)
The Performance Monitor Users group includes WMI permissions by default:
- Namespace:
root\cimv2 - Permissions: ✅ Enable Account, ✅ Remote Enable
Manual configuration via wmimgmt.msc is not needed unless customized WMI permissions are in place.
4. Configure WinRM on the DC
Run on each DC:
1
2
winrm quickconfig
Test-WsMan localhost
Confirm that port 5985 (HTTP) is open via:
1
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes
Ensure the WinRM service is running:
1
2
Set-Service winrm -StartupType Automatic
Start-Service winrm
5. Configure Server Monitoring in PAN-OS
- Go to:
Device > User Identification > User Mapping > Server Monitoring - Add or edit the entry for your DC (
dc.corp.hr) - Set:
- Authentication Type:
WinRM-HTTP - Username:
svc-pan-userid@corp.hr - Password: (enter your service account password)
- Domain:
corp.hr(Kerberos realm)
- Authentication Type:
- Click OK and Commit changes
6. Restart Monitoring and Verify
On the PAN CLI:
1
2
3
debug user-id reset server-monitor-dc
show user server-monitor statistics
tail follow yes mp-log useridd.log
Log Output Should Show:
- Kerberos authentication success (if used)
- WMI/WinRM connection success
- New user logon events being parsed
Optional Security Hardening
- Deny interactive logon for the service account via GPO
- Rotate the password using a vault or manual schedule
- Restrict the account’s scope using custom GPOs
Troubleshooting Notes
| Error Message | Likely Cause | Solution |
|---|---|---|
| HTTP 500 Access Denied | WinRM connection OK, but WMI blocked | Add to Performance Monitor Users group |
| Access is denied (useridd.log) | Missing Event Log access | Add to Event Log Readers group |
| Connection failed, Kerberos error | Time sync issue or bad credentials | Check NTP, verify password and user format |
| Still using old credentials | Config not fully updated | Re-edit Server Monitoring, re-enter credentials |