https://live.paloaltonetworks.com/t5/prisma-access-discussions/upgrade-to-pan-os-10-0/m-p/476851#M323 <P>Hi,</P><P>&nbsp;</P><P>I've been on hold for nearly 3hrs trying to get through to TAC after raising my L2 ticket online, the automated message told me I should try the live community <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>Since upgrading to&nbsp;10.0 (aiming to get to 10.1.4) admins aren't able to login to Panorama to manage prisma access.</P><P>&nbsp;</P><P>Log shows:</P><P>&nbsp;</P><P><SPAN>Authorization failed for user jblogs@domain.com via Web from 10.3X.XX.XX : Invalid configuration. <STRONG>No ado/role found</STRONG> jbloggs@domain.com </SPAN><BR /><SPAN>03/30 02:35:19</SPAN><BR /><BR /><SPAN>SAML SSO authenticated for user 'xxx@domain.com . auth profile 'Okta-MGMT-Profile', vsys 'shared', server profile 'Okta-management-SAML', IdP entityID '<A href="http://www.okta.com/XXXXXXXX" target="_blank">http://www.okta.com/XXXXXXXX</A>', From:10.3X.XX.XX</SPAN><BR /><SPAN>03/30 02:35:19</SPAN><BR /><BR /><SPAN>The users&nbsp;have &nbsp;dynamic "super user" role assigned. I'm not sure what "ado" means in the above log but it seems like SAML is authenticating successfully. Any help appreciated.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Mar 2022 11:25:51 GMT jbusby 2022-03-30T11:25:51Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/upgrade-to-pan-os-10-0/m-p/476851#M323 <P>Hi,</P><P>&nbsp;</P><P>I've been on hold for nearly 3hrs trying to get through to TAC after raising my L2 ticket online, the automated message told me I should try the live community <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>Since upgrading to&nbsp;10.0 (aiming to get to 10.1.4) admins aren't able to login to Panorama to manage prisma access.</P><P>&nbsp;</P><P>Log shows:</P><P>&nbsp;</P><P><SPAN>Authorization failed for user jblogs@domain.com via Web from 10.3X.XX.XX : Invalid configuration. <STRONG>No ado/role found</STRONG> jbloggs@domain.com </SPAN><BR /><SPAN>03/30 02:35:19</SPAN><BR /><BR /><SPAN>SAML SSO authenticated for user 'xxx@domain.com . auth profile 'Okta-MGMT-Profile', vsys 'shared', server profile 'Okta-management-SAML', IdP entityID '<A href="http://www.okta.com/XXXXXXXX" target="_blank">http://www.okta.com/XXXXXXXX</A>', From:10.3X.XX.XX</SPAN><BR /><SPAN>03/30 02:35:19</SPAN><BR /><BR /><SPAN>The users&nbsp;have &nbsp;dynamic "super user" role assigned. I'm not sure what "ado" means in the above log but it seems like SAML is authenticating successfully. Any help appreciated.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Mar 2022 11:25:51 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/upgrade-to-pan-os-10-0/m-p/476851#M323 jbusby 2022-03-30T11:25:51Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/upgrade-to-pan-os-10-0/m-p/477170#M324 <P>Found the solution:</P><P>&nbsp;</P><P>The upgrade must have removed this parameter that was set by a previous admin:</P><P>&nbsp;</P><P>set auth strict-username-check no</P><P>&nbsp;</P><P>It's actually documented here:&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-considerations.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-considerations.html</A></P> Thu, 31 Mar 2022 09:10:27 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/upgrade-to-pan-os-10-0/m-p/477170#M324 jbusby 2022-03-31T09:10:27Z