topic Re: User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS in General Topics

User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

SirchRettop — Thu, 08 Oct 2020 14:49:03 GMT

Hi Community,

Having a headache of an issue lately and I believe it to be an issue on the customer environment rather than a setting configuration on the firewall, or software issue in PAN-OS e.g.

I've little experience with enterprise active directory so I learn as I go.

At the moment, customer has been using the Domain DNS for User Domain settings on Authentication Profiles and Group Mappings.

I plan to change this and make sure to use the NetBIOS in place of the domain DNS for User Domain settings in Authentication Profiles and Group Mapping settings.

PAN-OS 9.0.8

Global Protect 5.1.3

Windows Server: Not Sure

In the customers environment, certain subnets, be it wired or wireless, the ip-user-mapping are picked up as sometimes lan.corp.com/user or corp/user.

Therefore, an ip-user-mapping of lan.corp.com/user isn't recognized as being part of the AD group corp/webaccess and security rule is never hit.

Same user will then remove the wired connection, will be picked up on a different ip-address via Wifi but is now seen on the firewall as corp/user, is seen inside AD group corp/webaccess and hits the rule, gaining web access.

Again issue happens when users try to authenticate from home via Global Protect.

Verifying with command [ > tail follow yes mp-log authd ] users authentication will fail because lan.corp.com/user is not inside AD group globalprotect .... user will try again and again until eventually they are picked up as corp/user.

I've searched almost all of LiveCommunity, Fuel User Group and Support Portal Knowledgebase to see if this has come up before.

Most articles state the requirement of using NetBIOS in place of Domain DNS but nothing stating what steps the customer should do to verify domain mapping and AD is correct.

Please help

Re: User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

BPry — Fri, 09 Oct 2020 02:29:38 GMT

@SirchRettop,

It really sounds like you haven't set a Primary Username on the firewall since the introduction of multiple username formats with PAN-OS 8.1. I'd look at your group mappings and verify that your User Attributes are actually setup properly.

Re: User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

jlesquerpit — Mon, 12 Oct 2020 10:33:33 GMT

J'ai le même problème, certains utilisateurs sont identifiés comme netbiosdomain\user et dnsdomain\user

Quand ils sont reconnus comme netbiosdomaine\user, la règle de sécurité basée sur le groupe AD est bien appliquée.

Quand ils sont reconnus comme dnsdomain\user la règle n'est pas appliquée à l'utilisateur.

Quand je vais voir dans monitoring user-id, je vois que l'utilisateur est reconnu en dnsdomain\user quand la source retourne le user sous la forme user@dnsdomain. C'est ce qui pose problème. Pourquoi la source retourne user@dnsdomain... Comment faire pour ne pas avoir ce retour sous la forme user@dnsdomain mais n'avoir que le retour sous la forme netbiosdomain\user.

Re: User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

jlesquerpit — Tue, 13 Oct 2020 14:18:54 GMT

J'ai finalement trouvé la cause de ce problème d'authentification...

Mon domaine a un DN enregistré dans la foret, il faut donc créé un connecteur ldap vers cet autre domaine, ajouter un mapping de groupe vers ce domaine basé sur le même groupe Active Directory.

Une fois ceci effectué, tous les utilisateurs sont bien convertis en netbiosdomain\user

On a ce problème d'authentification sous la forme user@dnsdomain pour une machine quand paloalto a besoin de l'authentifier et que le domaine actuel est enregistré dans un autre domaine au niveau du DN du domaine.

Re: User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

SirchRettop — Fri, 16 Oct 2020 08:07:50 GMT

I managed to solve the issue.

I tweaked the config and used the NetBIOS dns in place of the Domain dns in any setting where it asks for the 'Domain' input e.g. Group Mapping and Authentication Profiles

Users are now always successfully matched in a security rule and also can authenticate over Global Protect without previous intermittent failures