https://live.paloaltonetworks.com/t5/general-topics/cannot-log-into-firewall-if-authentication-profile-specifies-an/m-p/491856#M104968 <P>So last Thursday we upgraded our PA-5220s from 9.1.10 to 10.1.5-h1 and everything went incredibly well - absolutely no issues during the upgrade. About 15 hours after the upgrade was complete, we suddenly could not log onto the firewalls with our LDAP credentials.&nbsp;</P><P>&nbsp;</P><P>Typically we have an AD group specified in the Authentication profile we use for management access. If we keep that configuration, we cannot log into the firewalls. However, if we add individual AD users to the authentication profile, those users can log in with their LDAP credentials. I know the LDAP server profile is working because it is the same one used to allow Globalprotect users to authenticate, and that is working absolutely fine, and also uses AD groups.&nbsp;</P><P>&nbsp;</P><P>I checked User-ID group mappings and we have our domains entire tree selected, so I know the group is available for mappings.&nbsp;</P><P>&nbsp;</P><P>Here are some sanitized screenshots of the config:&nbsp;<A href="https://imgur.com/a/6tuXgHu" target="_blank">https://imgur.com/a/6tuXgHu</A></P><P>&nbsp;</P><P>I have a case open with TAC but our engineer is in a vastly different timezone and hasn't been able to find time on their shift to assist.&nbsp;</P> Wed, 25 May 2022 17:27:17 GMT WinCo 2022-05-25T17:27:17Z https://live.paloaltonetworks.com/t5/general-topics/cannot-log-into-firewall-if-authentication-profile-specifies-an/m-p/491856#M104968 <P>So last Thursday we upgraded our PA-5220s from 9.1.10 to 10.1.5-h1 and everything went incredibly well - absolutely no issues during the upgrade. About 15 hours after the upgrade was complete, we suddenly could not log onto the firewalls with our LDAP credentials.&nbsp;</P><P>&nbsp;</P><P>Typically we have an AD group specified in the Authentication profile we use for management access. If we keep that configuration, we cannot log into the firewalls. However, if we add individual AD users to the authentication profile, those users can log in with their LDAP credentials. I know the LDAP server profile is working because it is the same one used to allow Globalprotect users to authenticate, and that is working absolutely fine, and also uses AD groups.&nbsp;</P><P>&nbsp;</P><P>I checked User-ID group mappings and we have our domains entire tree selected, so I know the group is available for mappings.&nbsp;</P><P>&nbsp;</P><P>Here are some sanitized screenshots of the config:&nbsp;<A href="https://imgur.com/a/6tuXgHu" target="_blank">https://imgur.com/a/6tuXgHu</A></P><P>&nbsp;</P><P>I have a case open with TAC but our engineer is in a vastly different timezone and hasn't been able to find time on their shift to assist.&nbsp;</P> Wed, 25 May 2022 17:27:17 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-log-into-firewall-if-authentication-profile-specifies-an/m-p/491856#M104968 WinCo 2022-05-25T17:27:17Z https://live.paloaltonetworks.com/t5/general-topics/cannot-log-into-firewall-if-authentication-profile-specifies-an/m-p/496976#M105116 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44642">@WinCo</a>&nbsp;,</P> <P>&nbsp;</P> <P>Any information that can help you further in the authd logs or in the LDAP logs ?</P> <P>I know some default authentication behaviour changed from 9.1 to 10.x about the strict-username-check which might be worth checking:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-considerations" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-considerations</A></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> Wed, 01 Jun 2022 12:35:40 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-log-into-firewall-if-authentication-profile-specifies-an/m-p/496976#M105116 kiwi 2022-06-01T12:35:40Z