Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent

1. Create the User-ID service account in the Windows Active Directory (AD) server that is being used by the authentication server.
   Be sure that the user you create is part of the following groups:

   • Distributed COM Users
   • Event Log Readers
   • Server Operators

   We recommend only making these group associations. You do not have to configure Domain Admin or Enterprise Admin privileges for the User-ID service account to work correctly. Giving privileges to the account that aren’t required can give your network a larger attack surface.
2. Configure Windows Management Instrumentation (WMI) on the AD server.
   The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD server that connects to the device.
   1. Open a command prompt window and run the wmimgmt.msc command.
   2. In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.

3. Make the following changes in the CIMV2 folder:
   1. Select the CIMV2 folder.
   2. Click Security.
   3. Click Add
   4. Select the service account you created in Step 1.
      This example uses the UserID user with the email of userid@example.com.
   5. Check Allow for the Enable Account and Remote Enable for the account you created.
   6. Click Apply.
   7. Click OK.

4. In Panorama, select DeviceUser IdentificationUser Mapping and click the gear icon to edit the settings.
   Be sure that you have selected the Remote_Network_Template at the top of the page.

5. Configure the Windows Remote Management (WinRM) protocol to monitor your Active Directory server.
   See the WinRM documentation in the PAN-OS Administrator’s Guide for details.