https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161331#M52497 <P>Use Authentication Sequence profile instead of separate local and LDAP logins, and remove the user domain from the group mapping &amp; auth profile.</P><P>&nbsp;</P><P>Regards,</P><P>Sharief</P> Thu, 15 Jun 2017 06:48:26 GMT MohamedSharief 2017-06-15T06:48:26Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161181#M52463 <P>Hi !</P><P>&nbsp;</P><P>Currently, I am using GlobalProtect in my network.</P><P>Also, I am configuring an Active Directory Server, and I would like to use AD users to connect to GlobalProtect (currently I'm&nbsp;using local users / groups in the firewall). Computers are not in the domain yet.</P><P>&nbsp;</P><P>I have followed this tutorial :&nbsp;<A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Active-Directory-Server-Profile-for-Group/ta-p/58089" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Active-Directory-Server-Profile-for-Group/ta-p/58089</A>.</P><P>&nbsp;</P><P>When I verify connection to the LDAP server (with command: <EM>show user group name domain\usersgroup1</EM>), I've all my users.</P><P>&nbsp;</P><P>But when I try to connect to GlobalProtect with an AD user, it's doesn't work and I have this error message in System logs: Authentification failed : Invalid username or password.</P><P>&nbsp;</P><P>Have you got any idea to solve the problem ?</P><P>&nbsp;</P><P>Thanks all !</P><P>&nbsp;</P><P>This is details of my configuration :</P><P>&nbsp;</P><P>LDAP Server Profile:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Server LDAP.PNG" style="width: 622px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9708i0231640DB56A1129/image-dimensions/622x331/is-moderation-mode/true?v=v2" width="622" height="331" role="button" title="Server LDAP.PNG" alt="Server LDAP.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;Group Mapping:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Group Mapping 1.PNG" style="width: 465px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9709iF2BBDFEBB884CBCB/image-dimensions/465x475/is-moderation-mode/true?v=v2" width="465" height="475" role="button" title="Group Mapping 1.PNG" alt="Group Mapping 1.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Group Mapping 2.PNG" style="width: 443px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9710iD3758DCCBE011FBD/image-dimensions/443x294/is-moderation-mode/true?v=v2" width="443" height="294" role="button" title="Group Mapping 2.PNG" alt="Group Mapping 2.PNG" /></span></P><P>&nbsp;</P><P>This is my Authentification profile :<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Auth Profile.PNG" style="width: 426px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9711iA4BD6C132511E976/image-dimensions/426x294/is-moderation-mode/true?v=v2" width="426" height="294" role="button" title="Auth Profile.PNG" alt="Auth Profile.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Auth Profile 2.PNG" style="width: 489px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9713i058879DEAAD9525C/image-dimensions/489x413/is-moderation-mode/true?v=v2" width="489" height="413" role="button" title="Auth Profile 2.PNG" alt="Auth Profile 2.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;And this is the GlobalProtect Authentication configuration:</P><P>Portal :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Portal Auth.PNG" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9714iFD1C26058C313CB1/image-dimensions/512x305/is-moderation-mode/true?v=v2" width="512" height="305" role="button" title="Portal Auth.PNG" alt="Portal Auth.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Portal Auth 2.PNG" style="width: 510px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9715i7B8119FBFE153EED/image-dimensions/510x263/is-moderation-mode/true?v=v2" width="510" height="263" role="button" title="Portal Auth 2.PNG" alt="Portal Auth 2.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;Gateway :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="passerelle auth.PNG" style="width: 549px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9716i520E317CB0E2E10D/image-dimensions/549x323/is-moderation-mode/true?v=v2" width="549" height="323" role="button" title="passerelle auth.PNG" alt="passerelle auth.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Jun 2017 10:29:32 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161181#M52463 informatiq 2017-06-14T10:29:32Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161306#M52489 <P>Very well documented post!</P><P>&nbsp;</P><P>1) If you are entering the domain yourself, under Authentication profile-&gt;User domain, then put the user modifier as %username% only.</P><P>&nbsp;</P><P>2) If step (1) doesn't work, then run:</P><P>&nbsp;</P><P>&gt; tail follow yes mp-log authd.log</P><P>&nbsp;</P><P>and then try to authenticate. Copy and paste those logs here.</P><P>&nbsp;</P><P>Good Luck!</P> Wed, 14 Jun 2017 22:08:23 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161306#M52489 ansharma 2017-06-14T22:08:23Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161311#M52494 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58639">@informatiq</a></P><P>In the <STRONG>Group Mapping --&gt; Domain Setting --&gt; User Domain</STRONG>, include only your NetBios name or leave it blank, for instance: in your example it is <STRONG>domain.ad</STRONG>, so leave it as <STRONG>domain</STRONG></P><P>&nbsp;</P><P>In the Authentication Profile User Domain field, either remove it completely or also include only your NetBios.&nbsp;</P><P>&nbsp;</P><P>Both actions should resolve this issue for you.</P><P>&nbsp;</P><P>I hope this helps.</P><P>&nbsp;</P><P>Willian</P> Wed, 14 Jun 2017 22:52:27 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161311#M52494 acc6d0b3610eec313831f7900fdbd235 2017-06-14T22:52:27Z https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161331#M52497 <P>Use Authentication Sequence profile instead of separate local and LDAP logins, and remove the user domain from the group mapping &amp; auth profile.</P><P>&nbsp;</P><P>Regards,</P><P>Sharief</P> Thu, 15 Jun 2017 06:48:26 GMT https://live.paloaltonetworks.com/t5/general-topics/active-directory-authentication-for-globalprotect-issue/m-p/161331#M52497 MohamedSharief 2017-06-15T06:48:26Z