PAN-OS 8.1 User-ID problems

L1 Bithead

PAN-OS 8.1 User-ID problems

Hi there,

I have some problems with a user-id installation on PAN-OS 8.1.4, scenario:

1) Windows AD Domain Forest, with around 6/7 domains

2) I'm only interested in authenticating users from one of the domains in the forest

3) I've correctly connected the firewall to the local domain controllers and pulled out ip to user mapping

4) I've also correctly connected the firewall to the ldap servers for group mapping, groups are populated correctly

The domain is in the form: my-local-domain.myforest.local


Some users are detected as my-local-domain\username while some others are detected as my-local-domain.myforest.local\username and this gives me some problems because only users in the form my-local-domain\username are correctly mapped to groups.

I've already checked all the new documentation on user-id in 8.1 but cannot make it work :(

Looking at one of the users attributes:
show user user-attributes user my-local-domain\SOMEUSER
Primary: my-local-domain\SOMEUSER        Email:
Alt User Names:
2) my-local-domain\SOMEUSER.USERNAME
3) my-local-domain\SOMEUSER


Basically i would like to configure an Alternate username in the form: my-local-domain.myforest.local\SOMEUSER

is it possible using the new "Alternate Username" feature ? if so... how ?


thank you!





L1 Bithead

Re: PAN-OS 8.1 User-ID problems


A had few cases related to similar issue. Most of them was related to:


a) wrong Group Mapping Domain Name configuration - check help. If you used this option make sure it is netbios.

b) issue described here:

c) multidomain configuration -

d) domain-map was created and not refreshed -




L1 Bithead

Re: PAN-OS 8.1 User-ID problems

Thank you, with the help of one of the docs you shared I was finally able to solve this. It was the domain-map not woriking well, this doc ( ) is absolute GOLD!

With some packet captures I was able to troubleshoot a problem related to the retrieval of the partitions from a Domain Controller.

Changed the binding on LDAP of one of the root domain controllers and all started to work !

BTW I already had a group mapping configured on one of the root DCs but i was using the Global Catalog service istead of the normal LDAP.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!