Authentication seems to be the most difficult task....

Showing results for 
Search instead for 
Did you mean: 

Authentication seems to be the most difficult task....

L4 Transporter

No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":


admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :


Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins





dmin@TN-19023-PA500-01> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN :
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
Number of Groups: 1





AD group.PNGAuth_Profile.PNGseq.PNG




Accepted Solutions

according to cli output the auth is working for ldap.


so have we solved the first part of the problem, recognising users and groups for auth profiles.


if so then the username must match exactly on local database as these are case sensitive.

View solution in original post


L7 Applicator

show user group name "cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan"


can you see group members?

L3 Networker

Matching the syntax of your accounts and groups is crucial for LDAP requests.  You can find the proper synatax for your user or group by using the "Distinguished Name" field in "Active Directory Users and Computers".


Open up "Active Directory Users and Computers" and right click on your root domain.  Choose the "Find" option from the pop-up menu.  From the drop-down menu "View" select "Choose Columns" and then add the column for "Distinguished Name".


Search for your account.  In this example we have a user with the word Palo in the name.  The search box will show you the syntax for an LDAP query (example: CN=xxxxxx, OU=yyyyyy, DC=com).  This will have your specific information required for the Palo Alto.



That command returns nothing. So I assume it cant see it?

if the PA cannot see it then it will not allow you to even try to auth, could be a number of things but for basics I would try:-


show user group list


this is just to make sure you have the correct group name in the first place.


then try to remove admins from the auth profile, open it up to "any" and redo the "test authentication authentication-profile" again.


also... to avoid vsys error....    set system setting target-vsys vsys1



sorry the show user group list may not help... as groups available was in your first post.


it may be that the bind account does not have enough permissions to see the users in the group, just the group lists.

The show user group list only shows the user/groups in the Group Mapping Settings which from what I am reading this is not needed when doing WEB GUI auth. 


Also that command you mention doesnt exist:


PA500-01> set system setting
> ctd ctd
> logging logging
> mp-memory-monitor Set monitoring of management memory
> packet packet
> packet-descriptor-monitor Set monitoring of packet descriptors
> pow pow
> shared-policy Shared policy management via Panorama
> ssl-decrypt ssl-decrypt
> template Template management via Panorama
> url-database URL database
> url-filtering-feature change URL filtering feature settings
> util util
> wildfire wildfire settings
> zip zip



sorry... busy day...


also ensure bind account in ldap profile is at least a member of server operators group in AD.

Well if I set the authentication profile to "all users" it works just fine. 


Enter password :

Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "domain.lan\steven.williams.da" is in group "all"

Authentication to LDAP server at for user "steven.williams.da"
Type of authentication: GSSAPI
Starting LDAPS connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=domain,DC=domain,DC=lan
User expires in days: never

Authentication succeeded for user "steven.williams.da"



So the Bind account is working, its just not working for a specific user group. 


admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

short name: domain\paloaltoadmins

source type: ldap
source: Domain_Users_and_Groups

[1 ] domain\steven.williams.da



sees the user but can never auth with it. And yes I have created a user account in the local admins to match this. 

Could you post auth profile and advaced.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!