UserID/Group mapping

149999mah3 — Tue, 12 Sep 2023 09:07:31 GMT

I have created a LDAP profile, group mapping and user mapping from Panorama, and it seems to be working.

Im able to do "test authentication username xxxxxxx.test@xxxxxxxxx.com authentication-profile xxxxxx-LDAP password and this works fine.

My problem is that panorama doesnt seem to be able to "manage" Palo Alto Networks User ID Agent Setup tab.

That tab is empty on local fw (device->User identification->User Mapping), if i enter anything in this tab, anything at all, i get the error msg bellow. Eventho Panorama has this config. I thought it was a template issue, so i created a test template and added all this config

in the new test template. And put it on top, but no luck. If i try to configure it manually i get the following error msg.

Error: Domain's DNS name is missing in Active Directory Authentication
client useridd phase 1 failure

From mp-log userid.log:

2023-09-12 09:18:26.617 +0200 connects to redis_dscd db1
2023-09-12 09:18:26.716 +0200 dsc adaptor completed rpc call for func ShowUser
2023-09-12 09:18:26.717 +0200 connects to redis_dscd db1
2023-09-12 09:19:12.608 +0200 device cert: NEW: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: OLD: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: Recevied (change) event for device cert. Update dsc connections.
2023-09-12 09:19:12.609 +0200 Error: pan_dsc_rpc_get_thermite_cert(pan_dsc_adaptor.c:691): [THERMITE] dsc rpc get device cert failed
2023-09-12 09:19:12.609 +0200 dsc adaptor completed rpc call for func UpdateThermiteCert
2023-09-12 09:20:04.302 +0200 phase1 started
2023-09-12 09:20:04.304 +0200 parsing config: config length 186610
2023-09-12 09:20:04.319 +0200 <vsys> tag does not exist
2023-09-12 09:20:04.319 +0200 mgmt internal: client certificate profile commit
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection server mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings SERVER
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for SERVER
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection client mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings CLIENT
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for CLIENT
2023-09-12 09:20:04.322 +0200 [secure_conn] user_id secure conn cfg SERVER:disabled CLIENT:disabled
2023-09-12 09:20:04.324 +0200 hipreport to icd channel: 1
2023-09-12 09:20:04.326 +0200 no wmi account is configured, no need to probe
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_dir_server_parse_cfg(pan_user_id_collector.c:409): Domain's DNS name is missing in Active Directory Authentication
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_collector_parse_cfg(pan_user_id_collector.c:2217): pan_user_id_dir_server_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_vsys_config(pan_user_id_cfg.c:818): pan_userid_collector_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_config_i(pan_user_id_cfg.c:1515): pan_user_id_parse_vsys_config() failed

So im missing domains dns name in active directory authentication. If this is the auth profile, i got the user domain set correct. Does anyone know

where "Domain's DNS name is missing in Active Directory Authentication" is?

Re: UserID/Group mapping

Raido_Rattameister — Tue, 12 Sep 2023 12:48:00 GMT

What Panorama version are you using?

It was a bug in Panorama 10.2.x (at least up to 10.2.3) when UserID info in Panorama template was not pushed down to template stack and as a result not sent to firewall.

Re: UserID/Group mapping

Claw4609 — Tue, 12 Sep 2023 12:51:45 GMT

Are you using the built in user-id agent for this? If you go to device->User identification->User Mapping then click the gear for Palo Alto Networks user-id agent setup, under the "server monitor account" there you'll fill out your account used for authentication as well as the "Domains DNS Name".

If you are not using the built in user-id agent, you can just go to the "server monitor" and "client probing" tabs and make sure everything is unchecked there.

Re: UserID/Group mapping

149999mah3 — Tue, 12 Sep 2023 18:31:13 GMT

We are running 10.2.3 both on Panorama and fw. So thats probably whats wrong. Only thing is that I cant add the config manually on the local fw. Says i need to override the template. And there isnt any gear icon to override... What vers. Panos is this fixed in?

Re: UserID/Group mapping

149999mah3 — Tue, 12 Sep 2023 18:34:07 GMT

Im using built in, but perhaps ill try the agent now that I know of the bug mentioned above.

topic Re: UserID/Group mapping in General Topics

UserID/Group mapping

Re: UserID/Group mapping

Re: UserID/Group mapping

Re: UserID/Group mapping

Re: UserID/Group mapping