https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242710#M69409 <P>Thank you, with the help of one of the docs you shared I was finally able to solve this. It was the domain-map not woriking well, this doc ( <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK</A> ) is absolute GOLD!</P><P>With some packet captures I was able to troubleshoot a problem related to the retrieval of the partitions from a Domain Controller.</P><P>Changed the binding on LDAP of one of the root domain controllers and all started to work !</P><P>BTW I already had a group mapping configured on one of the root DCs but i was using the Global Catalog service istead of the normal LDAP.</P><P>&nbsp;</P><P>Thank's!</P> Mon, 10 Dec 2018 13:19:45 GMT LCMember4164 2018-12-10T13:19:45Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242311#M69337 <P>Hi there,</P><P>I have some problems with a user-id installation on PAN-OS 8.1.4, scenario:</P><P>1) Windows AD Domain Forest, with around 6/7 domains</P><P>2) I'm only interested in authenticating users from one of the domains in the forest</P><P>3) I've correctly connected the firewall to the local domain controllers and pulled out ip to user mapping</P><P>4) I've also correctly connected the firewall to the ldap servers for group mapping, groups are populated correctly</P><P>The domain is in the form: my-local-domain.myforest.local</P><P>Problem:</P><P>Some users are detected as my-local-domain\username while some others are detected as my-local-domain.myforest.local\username and this gives me some problems because only users in the form my-local-domain\username are correctly mapped to groups.</P><P>I've already checked all the new documentation on user-id in 8.1 but cannot make it work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>Looking at one of the users attributes:<BR />show user user-attributes user my-local-domain\SOMEUSER<BR />Primary: my-local-domain\SOMEUSER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Email: SOMEUSER@mydomain.com<BR />Alt User Names:<BR />1) SOMEUSER@mydomain.com<BR />2) my-local-domain\SOMEUSER.USERNAME<BR />3) my-local-domain\SOMEUSER<BR />4) SOMEUSER@UPN</P><P>&nbsp;</P><P>Basically i would like to configure an Alternate username in the form: my-local-domain.myforest.local\SOMEUSER</P><P>is it possible using the new "Alternate Username" feature ? if so... how ?</P><P>&nbsp;</P><P>thank you!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 05 Dec 2018 23:27:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242311#M69337 LCMember4164 2018-12-05T23:27:46Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242376#M69344 <P>Hi,</P><P>A had few cases related to similar issue. Most of them was related to:</P><P>&nbsp;</P><P>a) wrong Group Mapping Domain Name configuration - check help. If you used this option make sure it is netbios.</P><P>b) issue described here:&nbsp;<SPAN><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Multi-Domain-Active/ta-p/60784" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Multi-Domain-Active/ta-p/60784</A> </SPAN></P><P><SPAN>c) multidomain configuration -&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK</A></SPAN></P><P><SPAN>d) domain-map was created and not refreshed -&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0</A></SPAN></P><P>&nbsp;</P><P><SPAN>best&nbsp;</SPAN></P><P><SPAN>Jarek</SPAN></P> Thu, 06 Dec 2018 14:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242376#M69344 jarbu 2018-12-06T14:40:51Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242710#M69409 <P>Thank you, with the help of one of the docs you shared I was finally able to solve this. It was the domain-map not woriking well, this doc ( <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK</A> ) is absolute GOLD!</P><P>With some packet captures I was able to troubleshoot a problem related to the retrieval of the partitions from a Domain Controller.</P><P>Changed the binding on LDAP of one of the root domain controllers and all started to work !</P><P>BTW I already had a group mapping configured on one of the root DCs but i was using the Global Catalog service istead of the normal LDAP.</P><P>&nbsp;</P><P>Thank's!</P> Mon, 10 Dec 2018 13:19:45 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-8-1-user-id-problems/m-p/242710#M69409 LCMember4164 2018-12-10T13:19:45Z