https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14809#M10878 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>did the support resolve your problem with using Groups with Kerberos authentication ? Can you post the solution ? Thanks !</P></BODY></HTML> Wed, 30 May 2012 12:33:38 GMT BLepenik 2012-05-30T12:33:38Z https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14807#M10876 <HTML><HEAD></HEAD><BODY><P>Running 4.0.5 here.</P><P></P><P>I setup SSL VPN a while ago, and setup an authentication profile to pull from our Active Directory via Kerberos.&nbsp; I have an AD group and I only want the members of that group (or members of groups that are children of that master group) to have VPN access.</P><P></P><P>I only add that single group to the allow list, and nothing else.</P><P></P><P>For some period of time, this was working correctly.&nbsp; I have users that are in that group and could access the VPN, as well as users in sub-groups that could also access it.</P><P></P><P>After some period of time, with zero changes to anything SSL-VPN or authentication related, this has stopped working.&nbsp; I'm now getting a generic "invalid username or password" error, when it was working perfectly in the past.</P><P></P><P>If I edit the authentication profile and remove the group restriction and instead change to "all," everything works again, but I am no longer restricting VPN access as I would like.</P><P></P><P>What's going on here?</P><P></P><P>I have found from searches that group restrictions are not supported with LDAP... but I'm using Kerberos and couldn't find anything about it one way or another.&nbsp; If it is not supposed to work with group restrictions, how the heck was it working for me in the past!?</P></BODY></HTML> Thu, 27 Oct 2011 06:38:12 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14807#M10876 bradenmcg 2011-10-27T06:38:12Z https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14808#M10877 <HTML><HEAD></HEAD><BODY><P>Please could you open a case with the Support team so they may take a closer look. </P></BODY></HTML> Tue, 01 Nov 2011 06:12:32 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14808#M10877 sjamaluddin 2011-11-01T06:12:32Z https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14809#M10878 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>did the support resolve your problem with using Groups with Kerberos authentication ? Can you post the solution ? Thanks !</P></BODY></HTML> Wed, 30 May 2012 12:33:38 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14809#M10878 BLepenik 2012-05-30T12:33:38Z https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14810#M10879 <HTML><HEAD></HEAD><BODY><P>I would be interested in a solution as well. </P></BODY></HTML> Mon, 01 Oct 2012 08:10:30 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-profile-kerberos-group-restrictions-should-work/m-p/14810#M10879 oschuler 2012-10-01T08:10:30Z