https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44312#M32525 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>Would you check the attached LDAP config technote to see if you have configure the setting correctly?</P><P></P><P></P><P>Actually I will recommend you to use Kerboros instead of LDAP. If you are using LDAP for SSLVPN and AD for internal network auth, you will have two kinds of user groups- AD group and LDAP group, and so for the same user group you may need to have two groups in the setting. But if you are using Kerboros, you only need to manage one AD user group. You can try it.</P></BODY></HTML> Fri, 02 Sep 2011 14:55:44 GMT jleung 2011-09-02T14:55:44Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44309#M32522 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>I'm trying to configure SSL-VPN with Active Directory authentication.I'm running PANOS 4.0.4, and SSL-Client 1.3.0 and 1.3.1.</P><P>I've configured the following:</P><P>1. An Server Profile with type Active Directoy</P><P>2. An Authentication Profile with LDAP authentication, and using the profile I've created at step 1. Also add a group and some users to the Allow List.</P><P>3. At User Identification I have enabled the LDAP server, sing the profile I've created at step 1.</P><P></P><P>PaloAlto can connect the LDAP server. I can see the groups and users. The CLI command <SPAN lang="EN-US" style="font-size: 9pt; font-family: &amp;quot;Courier New&amp;quot;;">show user ldap-server server all&nbsp; </SPAN>shows that this connection is as supposed to be ...</P><P></P><P>I have also created the tunnel SSL-VPN, and it is working OK if I use local users. When I change this configuration to use the profile with Active Directory users, I can not connect any of the users that are on the Allow List. Allways have the same error: <STRONG>Authentication failed: Invalid username or password</STRONG>.</P><P></P><P>I use DOMAIN\USER as user at the name field of NetConnect.</P><P></P><P>Can anyone help me with this problem?</P><P></P><P>Best regards,</P><P>Nuno Carrilho</P></BODY></HTML> Thu, 01 Sep 2011 14:25:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44309#M32522 convex 2011-09-01T14:25:19Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44310#M32523 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You should not need to put the domain in the login name. You can also try to use Kerberos for SSLVPN.</P></BODY></HTML> Thu, 01 Sep 2011 15:30:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44310#M32523 jleung 2011-09-01T15:30:42Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44311#M32524 <HTML><HEAD></HEAD><BODY><P>Hi, jleung,</P><P></P><P>I've also tried without the DOMAIN at the beggining. I always have the same error. It just does not work ...</P><P></P><P>Thanks,</P><P>Nuno Carrilho</P></BODY></HTML> Fri, 02 Sep 2011 08:35:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44311#M32524 convex 2011-09-02T08:35:44Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44312#M32525 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>Would you check the attached LDAP config technote to see if you have configure the setting correctly?</P><P></P><P></P><P>Actually I will recommend you to use Kerboros instead of LDAP. If you are using LDAP for SSLVPN and AD for internal network auth, you will have two kinds of user groups- AD group and LDAP group, and so for the same user group you may need to have two groups in the setting. But if you are using Kerboros, you only need to manage one AD user group. You can try it.</P></BODY></HTML> Fri, 02 Sep 2011 14:55:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44312#M32525 jleung 2011-09-02T14:55:44Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44313#M32526 <HTML><HEAD></HEAD><BODY><P>Hi jleung,</P><P></P><P>eDirectory and LDAP authentication in PANOS 3 1.pdf - This was the document I have followed to configure LDAP Authentication.</P><P></P><P>I have opened a case through our Palo Alto dealer, so I'm waiting for an answer from Palo Alto. I have configured alot of other AD/LDAP integrations with other Firewalls (non PaloAlto) and I never had so much trouble integrating it ...</P><P></P><P>Thanks for your help,</P><P>Nuno Carrilho</P></BODY></HTML> Mon, 05 Sep 2011 09:36:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44313#M32526 convex 2011-09-05T09:36:59Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44314#M32527 <HTML><HEAD></HEAD><BODY><P>Hi jleung,</P><P></P><P>After long hours trying to understand this issue, finaly I found the solution. It is already working with AD.</P><P></P><P>Thanks for your help,</P><P>NC</P></BODY></HTML> Wed, 07 Sep 2011 16:19:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44314#M32527 convex 2011-09-07T16:19:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44315#M32528 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Great to hear that!!! </P></BODY></HTML> Fri, 09 Sep 2011 13:48:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44315#M32528 jleung 2011-09-09T13:48:46Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44316#M32529 <HTML><HEAD></HEAD><BODY><P>Hi convex,</P><P></P><P>We are have the same problem, could you help us with the solution? </P><P></P><P>Best regards,</P></BODY></HTML> Fri, 23 Sep 2011 17:49:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44316#M32529 ocampos 2011-09-23T17:49:02Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44317#M32530 <HTML><HEAD></HEAD><BODY><P>How are users logging in? Are they entering 'Domain\User' when they log in? Can you provide a snippet of the authd logs for the failed login attempts?</P><P></P><P>Regards,</P><P>Renato</P></BODY></HTML> Sun, 25 Sep 2011 10:53:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44317#M32530 gswcowboy 2011-09-25T10:53:20Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44318#M32531 <HTML><HEAD></HEAD><BODY><P>Helll OCAMPOS,</P><P></P><P>The first thing I have done, was to check if the AD tree plus user and password to access the AD Server where correct. You can see that at the Dashboard on the GUI with the message:</P><P>"ldap cfg [name of the ad server] connected xxx.xxx.xxx.xxx:389, initiated by: zzz.zzz.zzz.zzz"</P><P>The above message means that Palo Alto FW can connect to the AD server with the right credencials.</P><P></P><P>Than it camed the real problem, which I find out running the folowing command:</P><P></P><P>admin@PA-500&gt; telnet port 389 host xxx.xxx.xxx.xxx</P><P></P><P>where xxx.xxx.xxx.xxx is the IP address of the AD server.</P><P>Can you post the result?</P><P></P><P>Best regards,</P><P>Nuno Carrilho</P></BODY></HTML> Mon, 26 Sep 2011 08:24:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-with-active-directory-auth/m-p/44318#M32531 convex 2011-09-26T08:24:51Z