I'm using user ID with agents on DC. Today I got strange problem.
I created new user and I try to logon to GP portal and user GP client. Everytime I got in logs invalid username or password.
>debug user-id refresh group-mapping all (non-intrusive command)
This command will only fetch the delta/ difference value from the active directory
> debug user-id reset group-mapping all (intrusive command)
but it's for group, this user doesn't belogs to any of mapped group.
How to force refresh this user?
Simple GP authentication shouldn't be affected by any refresh.
If authentication for existing users are working properly (otherwise I would have requested you to check for LDAP conenctivity),
check what you see in authd logs?
Did you try a tcpdump or pcap of the interesting traffic on Palo Alto firewall?
Did you check on DC for user authentication logs?
Possibly this will help you narrow down.
You said that the user was not part of any group. As such, have you added that user to the Authentication profile for GP Portal / GW as an individual user there?
You can do the reset command - as that forces the LDAP server to pull all the users/ groups from the AD again (before its hourly update).
If you add a new user to a group or to AD, the firewall groups ought to be reset so as to pull any new users / groups on the AD
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!