Group mapping with User Principal Name (UPN) from AD: Unknown removal of UPN suffix

Reply
Highlighted
L0 Member

Group mapping with User Principal Name (UPN) from AD: Unknown removal of UPN suffix

Dear All, 


In our IT infrastructure we have to use UPN names for user authentication. One reason is to have more than 20 characters for user names in comparison to the SAMaccountName.

Another reason is our multi domain environment. We need a way of mapping domain name in third parties applications.

Our function-level of Active Directory is Server 2012-R2. On then PA3020 we use Firmware V6.02.

   

We create a user group mapping (User identification/Group Mapping Settings) on PaloAlto firewall, based on "userPricipalName", described in the manuals of PA.

 

Our biggest problem is the removal of the UPN suffix in User-Group-Mapping.

Here an example: user "max.mayer@mydomain.com" becomes "max.mayer". The DNS suffix is inexplicably cut off.

 

 

The user access is via Global Protect Gateway and UPN to the LAN. On this way the IP to user mapping  is o.k.

 

Since we now work in the Palo Alto in the security policy rules only with the group from the Active Directory, they are without function.
Thus we are not able to control the traffic on the basis of AD groups..

 

  1. Is there a way to prevent the cutting off of the DNS suffix by the Palo Alto firewall?
  2. Is there an alternative solution to use AD groups with UPN in the Palo Alto security policies?

   

 

Thank you in advance

 

Martin Ade

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!