https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69219#M40209 <P>Have you added group mapping under user-identification?</P> Tue, 08 Dec 2015 21:22:42 GMT pankaku 2015-12-08T21:22:42Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69213#M40204 <P>Hi guys.</P> <P>&nbsp;</P> <P>I have a problem with a user-id setup in a large multi domain envoirment. User-ID agentd are working fine, but the user did not match against the group mapping. It looks like we have a problem with the domain map. The command debug user-id dump domain-map delivers only a empty result. We setup the group maping against the Global Catalog of the root domain.</P> <P>Does anyone know which attribute Palo Alto Networks read out of the AD for the domain-map? Maybe there is an issue withe the AD.</P> <P>&nbsp;</P> <P>Best regards, Markus</P> Tue, 08 Dec 2015 20:39:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69213#M40204 markuskohlmeier 2015-12-08T20:39:33Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69215#M40205 <P>Check these DOC's</P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Multi-Domain-Active/ta-p/60784" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Multi-Domain-Active/ta-=p/60784</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Correct-Group-and-IP-to-User-Mapping-in-Multi-domain-AD-Forest/ta-p/55505" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Correct-Group-and-IP-to-User-Mapping-in-Multi-domain-AD-Forest/ta-p/55505</A></P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-for-Users-in-Multiple-Domains/ta-p/62089" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-for-Users-in-Multiple-Domains/ta-p/62089</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/IP-to-User-Mappings-Have-Inconsistent-Domain-Prefix/ta-p/59351" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/IP-to-User-Mappings-Have-Inconsistent-Domain-Prefix/ta-p/59351</A></P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 08 Dec 2015 20:50:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69215#M40205 pankaku 2015-12-08T20:50:33Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69217#M40207 <P>Hi pakumar.</P> <P>&nbsp;</P> <P>I know all these documents and I configured it as usual (and as described in the documents). But without success. I think my problem is the domain-map, because it should not be empty.</P> <P>&nbsp;</P> <P>Best regards, Markus</P> Tue, 08 Dec 2015 21:04:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69217#M40207 markuskohlmeier 2015-12-08T21:04:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69219#M40209 <P>Have you added group mapping under user-identification?</P> Tue, 08 Dec 2015 21:22:42 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69219#M40209 pankaku 2015-12-08T21:22:42Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69220#M40210 <P>Yes, of course.</P> Tue, 08 Dec 2015 21:23:43 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69220#M40210 markuskohlmeier 2015-12-08T21:23:43Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69221#M40211 <P>Hi. Just to be clear, I setup user-id, also in large envoirments, several times successful. But this time I have problems with the group mapping respectively the domain-map. So it would be interesting if anyone know which AD attribute or value Palo Alto Network use as domain-map.</P> <P>&nbsp;</P> <P>Thank you and best regards, Markus</P> Tue, 08 Dec 2015 21:29:06 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69221#M40211 markuskohlmeier 2015-12-08T21:29:06Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69222#M40212 <P>Okay try one more think change the domain name to netbios-name and test.</P> Tue, 08 Dec 2015 21:32:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69222#M40212 pankaku 2015-12-08T21:32:09Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69223#M40213 <P>Hi. I tried that allready, without success.</P> Tue, 08 Dec 2015 21:33:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69223#M40213 markuskohlmeier 2015-12-08T21:33:09Z https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69237#M40221 <P>Hi Markus,</P> <P>&nbsp;</P> <P>Can you try this:</P> <P>&nbsp;</P> <P><SPAN>1. Modify&nbsp;the LDAP server profile to use port 636 for the connection to the GC.</SPAN></P> <P><SPAN>2. Create&nbsp;a new group mapping using this LDAP profile.</SPAN></P> <P><SPAN>3. Use one group from the group list pulled from the server and put it in include list and commit the changes.</SPAN></P> <P>&nbsp;</P> <P><SPAN>See if it helps. Else I would suggest to contact support.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> <P><SPAN>Abhishek</SPAN></P> Wed, 09 Dec 2015 02:51:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-domain-map/m-p/69237#M40221 abjain 2015-12-09T02:51:41Z