I have some problems with a user-id installation on PAN-OS 8.1.4, scenario:
1) Windows AD Domain Forest, with around 6/7 domains
2) I'm only interested in authenticating users from one of the domains in the forest
3) I've correctly connected the firewall to the local domain controllers and pulled out ip to user mapping
4) I've also correctly connected the firewall to the ldap servers for group mapping, groups are populated correctly
The domain is in the form: my-local-domain.myforest.local
Some users are detected as my-local-domain\username while some others are detected as my-local-domain.myforest.local\username and this gives me some problems because only users in the form my-local-domain\username are correctly mapped to groups.
I've already checked all the new documentation on user-id in 8.1 but cannot make it work :(
Looking at one of the users attributes:
show user user-attributes user my-local-domain\SOMEUSER
Primary: my-local-domain\SOMEUSER Email: SOMEUSER@mydomain.com
Alt User Names:
Basically i would like to configure an Alternate username in the form: my-local-domain.myforest.local\SOMEUSER
is it possible using the new "Alternate Username" feature ? if so... how ?
Solved! Go to Solution.
A had few cases related to similar issue. Most of them was related to:
a) wrong Group Mapping Domain Name configuration - check help. If you used this option make sure it is netbios.
c) multidomain configuration - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK
d) domain-map was created and not refreshed - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0
Thank you, with the help of one of the docs you shared I was finally able to solve this. It was the domain-map not woriking well, this doc ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK ) is absolute GOLD!
With some packet captures I was able to troubleshoot a problem related to the retrieval of the partitions from a Domain Controller.
Changed the binding on LDAP of one of the root domain controllers and all started to work !
BTW I already had a group mapping configured on one of the root DCs but i was using the Global Catalog service istead of the normal LDAP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!