topic LDAP Authentication works when testing it via SSH command but fails on web interface in General Topics

LDAP Authentication works when testing it via SSH command but fails on web interface

gabe — Tue, 05 Aug 2025 00:21:05 GMT

When I'm running "test authentication authentication-profile "'LDAP Auth Profile" username myldapUser password" on the ssh cli, it authenticates successfully.

however when i try to log in on the web interface of global protect, i get this on the webui log:

failed authentication for user 'myDomain\myldapUser'. Reason: Invalid username/password. auth profile 'LDAP Auth Profile', vsys 'vsys1', server profile 'myDomain Active Directory', server address 'myLDAP-IP', From: myHomeIP.

(i'm not entirely sure what is vsys1 but i understand it is the default virtual system and it cannot be deleted.)

I'm not sure what I am doing wrong.

In GlobalProtect Portal Configuration / Authentication I set the "LDAP Auth Profile" as first.

"Allow Authentication with User Credentials OR Client Certificate" is set to "OR"

In the authentication profile i set "%USERINPUT%@%USERDOMAIN%" and add myDomain.local above it and in the Advanced tab i added "All".

Please let me know what additional info i need to provide, and/or if what to do to make this work

thanks

Re: LDAP Authentication works when testing it via SSH command but fails on web interface

kiwi — Tue, 05 Aug 2025 08:24:32 GMT

Hi @gabe ,

Username format mismatch is a likely cause of this.

The CLI test uses the exact username you type, but the GlobalProtect portal's web form and its configuration may be reformatting the username before sending it to the LDAP server.

Your portal log shows "myDomain\myldapUser," which is the sAMAccountName format. Your CLI test likely worked with "myldapUser". The LDAP server profile may be configured to expect a different format, such as an email address or a different domain.

In your Authentication Profile, you have "%USERINPUT%@%USERDOMAIN%". This setting is correct for formats like "user@domain.com". However, if your users are accustomed to logging in with "myDomain\myldapUser", you need to explicitly tell the firewall to handle that.

Ensure the Login Attribute is set correctly to match the type of username you are sending.

For example if you're using %USERINPUT%@%USERDOMAIN%, the Login Attribute should be userPrincipalName. If you're using just %USERINPUT% (and your users don't include the domain), it should be sAMAccountName.

Hope this helps,

-Kim.

Re: LDAP Authentication works when testing it via SSH command but fails on web interface

gabe — Tue, 05 Aug 2025 17:45:53 GMT

Thanks.

The solution was to add sAMAccountName for "Login Attribute" and not to use myDomain.local but DC=myDomain,DC=local where it is asking for "User Domain:" which is far from obvious. But I thought it worth a try.

Maybe this will help others.