- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-30-2018 10:41 AM
All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.
The authentication profile they go through has the %USERINPUT%@%USERDOMAIN% modifier. Domain is filled in & login attribute is 'userPrincipalName'.
All users who are gettng mapped through AD instead of CP are showing corrently as user@domain.com.
We only have 1 auth profile, 1 ldap server profile, 1 group mapping settings profile.
10-30-2018 11:12 AM
@OGMaverick wrote:All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.
What do you mean with "now"? Did the format suddenly change? Was there something changed by somwone in youe company? Did you upgrade from PAN-OS 8.0 to 8.1?
10-30-2018 11:17 AM
There were the following 2 changes:
8.1.2 > 8.1.4
Changed auth profile to include the modifier so users can log in as 'user' or 'user@ccboe.com'
10-30-2018 11:19 AM
The reason @Remo is asking about the possible upgrade path is due to the fact that there were default-behavior changes introduced in 8.1, so if this is your first release on 8.1 you could be encountering the changes for the first time. Take a look at your profile and see what the Primary Username field is.
10-30-2018 11:26 AM - edited 10-30-2018 11:33 AM
We've been on 8.1.x since we got our boxes (5220)
However, up until now we were only using userinput instead of modifying it so that users could log in with or without the domain. Primary username is userPrincipalName. The 8.1.4 upgrade & auth profile change were done at the same time.
10-30-2018 03:53 PM
... this probably is still a tricky task to do ...
I once spent quite while with testing this authentication for global protect with PAN-OS 8.0. But I gave up because of similar/the same problems that you describe.
Anyway if I would do it again, I would try it with two authentication profiles that are combined in a authentication sequence with the option "Use domain to determine authentication profile" enabled. In the sequence you have to place the auth profile for sAMAccountname first and the other for UPN as second profile. This way you have more flexibility with the domain/modifier and hopefully this is a way that will work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!