https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49604#M36552 <HTML><HEAD></HEAD><BODY><P>That's what I'm looking for.&nbsp; I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.</P><P></P><P>Thanks so much for your help! </P></BODY></HTML> Tue, 09 Dec 2014 05:52:26 GMT x 2014-12-09T05:52:26Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49599#M36547 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P>Is there a way to make sure that the GP checks that the AD user name matches the certificate common name when using both AD and Cert profiles for authenticating users?</P><P>Thanks,</P></BODY></HTML> Tue, 09 Dec 2014 00:02:59 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49599#M36547 x 2014-12-09T00:02:59Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49600#M36548 <HTML><HEAD></HEAD><BODY><P>Hi x,</P><P></P><P>I think you can, while creating a certificate profile you can provide the username field as (Subject) common name.</P><P></P><P>Hope it helps !</P></BODY></HTML> Tue, 09 Dec 2014 00:05:17 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49600#M36548 bat 2014-12-09T00:05:17Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49601#M36549 <HTML><HEAD></HEAD><BODY><P>Thanks, that is what I have although, on IOS or Android, it doesn't seem to be doing that check. I will confirm.</P></BODY></HTML> Tue, 09 Dec 2014 00:24:32 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49601#M36549 x 2014-12-09T00:24:32Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49602#M36550 <HTML><HEAD></HEAD><BODY><P>So as per TAC, there is no option to do this. They are two independent checks and are not tied together. I was told to submit a feature request. </P></BODY></HTML> Tue, 09 Dec 2014 05:01:11 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49602#M36550 x 2014-12-09T05:01:11Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49603#M36551 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:</P><P>51091—Two-factor authentication (where both a client certificate profile and an</P><P>authentication profile are configured) was not functioning as expected. The client was</P><P>not required to provide the login credentials associated with the authentication profile</P><P>after successfully authenticating with the client certificate</P><P></P><P>Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.</P></BODY></HTML> Tue, 09 Dec 2014 05:12:21 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49603#M36551 sspringer 2014-12-09T05:12:21Z https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49604#M36552 <HTML><HEAD></HEAD><BODY><P>That's what I'm looking for.&nbsp; I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.</P><P></P><P>Thanks so much for your help! </P></BODY></HTML> Tue, 09 Dec 2014 05:52:26 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-a-way-to-tie-the-cert-auth-to-ad-username-for-ad-auth/m-p/49604#M36552 x 2014-12-09T05:52:26Z