topic User-ID - LDAP - Different domains at samAccountName and userPrincipalName in General Topics https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/463675#M102399 <P>Hello all,</P><P>&nbsp;</P><P>the following problem:</P><P>&nbsp;</P><P>A Sub-AD-Domain in a forest with different domains at samAccountName and userPrincipalName.</P><P>&nbsp;</P><P>samAccountName: domain01\user01<BR />userPrincipalName: user01@domain02.com</P><P>&nbsp;</P><P>Dial-in with Global Protect via SAML with <A href="mailto:user01@domain02.com" target="_blank">user01@domain02.com</A></P><P>&nbsp;</P><P>PA recognizes user as user01@domain02.com. All rules based on User-ID don't work, because PA can't recognize the user (logically) via the existing Group Mapping (User Domain = domain01):</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Treutle_0-1644137123103.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38985iFA8C8C10FE9ED558/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Daniel_Treutle_0-1644137123103.png" alt="Daniel_Treutle_0-1644137123103.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>My idea was to add another Group Mapping which additionally picks up the "domain02.com":</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Treutle_1-1644137168688.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38986i94E372C902E75DA7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Daniel_Treutle_1-1644137168688.png" alt="Daniel_Treutle_1-1644137168688.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>But unfortunately User-ID spins completely after that. Sometimes a user is recognized, sometimes not. Total chaos.</P><P>&nbsp;</P><P>Does anyone know how to solve this?</P> Sun, 06 Feb 2022 08:50:03 GMT Daniel_Treutle 2022-02-06T08:50:03Z User-ID - LDAP - Different domains at samAccountName and userPrincipalName https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/463675#M102399 <P>Hello all,</P><P>&nbsp;</P><P>the following problem:</P><P>&nbsp;</P><P>A Sub-AD-Domain in a forest with different domains at samAccountName and userPrincipalName.</P><P>&nbsp;</P><P>samAccountName: domain01\user01<BR />userPrincipalName: user01@domain02.com</P><P>&nbsp;</P><P>Dial-in with Global Protect via SAML with <A href="mailto:user01@domain02.com" target="_blank">user01@domain02.com</A></P><P>&nbsp;</P><P>PA recognizes user as user01@domain02.com. All rules based on User-ID don't work, because PA can't recognize the user (logically) via the existing Group Mapping (User Domain = domain01):</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Treutle_0-1644137123103.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38985iFA8C8C10FE9ED558/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Daniel_Treutle_0-1644137123103.png" alt="Daniel_Treutle_0-1644137123103.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>My idea was to add another Group Mapping which additionally picks up the "domain02.com":</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Treutle_1-1644137168688.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38986i94E372C902E75DA7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Daniel_Treutle_1-1644137168688.png" alt="Daniel_Treutle_1-1644137168688.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>But unfortunately User-ID spins completely after that. Sometimes a user is recognized, sometimes not. Total chaos.</P><P>&nbsp;</P><P>Does anyone know how to solve this?</P> Sun, 06 Feb 2022 08:50:03 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/463675#M102399 Daniel_Treutle 2022-02-06T08:50:03Z Re: User-ID - LDAP - Different domains at samAccountName and userPrincipalName https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/463822#M102418 <P>try setting your LDAP profile to port&nbsp;<STRONG>3268</STRONG> so you use the global catalog rather than the default ldap, this should help you create multiple group mappings for all your domains</P> Mon, 07 Feb 2022 12:38:36 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/463822#M102418 reaper 2022-02-07T12:38:36Z Betreff: User-ID - LDAP - Different domains at samAccountName and userPrincipalName https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/464193#M102458 <P>Great! Working. Thank you so much!</P> Tue, 08 Feb 2022 12:55:01 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-ldap-different-domains-at-samaccountname-and/m-p/464193#M102458 Daniel_Treutle 2022-02-08T12:55:01Z