Authentication seems to be the most difficult task....

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication seems to be the most difficult task....

L4 Transporter

No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

!

!

!

dmin@TN-19023-PA500-01> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN : ldap.read@domain.lan
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
10.100.6.205(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
10.100.6.210(636)
10.100.21.210(636)
10.110.6.210(636)
Number of Groups: 1
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

admin@PA500-01>

!

!

!

AD group.PNGAuth_Profile.PNGseq.PNG

 

 

51 REPLIES 51

That didnt work either, but do I need to add my individual name to the group mappings? I mean i have domain users in the group mappings which inclueds "EVERYONE" in the domain.

 

System Log:

 

failed authentication for user \'\'.  Reason: Authentication profile not found for the user. From: 10.100.22.16.

 

Looks like it didnt even know what user was trying to login. 

No, you do not need to add individual users for this to work, i was just trying to see if it was failing at group level.

 

it's very difficult when i cant see your domain info as cant see if all boxes are correct in various pages.

 

1, did your name auto populate when you started to add it in auth profile advanced and dit it include the domain name.

2. is the domain name from Q1 entered into the domain field on both group mapping and auth profile pages. 

Yes the name auto populated. Came right up so thats good. For your next question, when I open the "Group Mapping" are you referring to the area under Domain Setting labeled "User Domain" if so, that value is empty. The server profile is set to what I am using in the LDAP server profile so shouldnt it know the user domain?

 

yes the field can be left blank as it will obtain the domain name from ldap server profile. you only need to enter a value if you need to overide the ldap value but just trying to see whats different from yours tou mine.

 

the only difference really is that my netbios domain name does not include a "." as in your xxx.lan domain name.

 

shame we cannot setup a webmeeting,

 

i have a recap and get back to you...

also on your previous cli test authentication...

 

failed authentication for user \'\'.  Reason: Authentication profile not found for the user. From: 10.100.22.16.

 

could you post the command and output.

 

sorry this is dragging on, I am no expert but we have quite a few LDAP profiles, hundreds of group mappings/restrictions and all seem to work well.....

That error came from the system logs. I'm not worried about amount of time, I have been stuck for weeks, and it seems so simple for every article and forum I have read. 

 

Still this:

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username steven.williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User steven.williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

 

I have the user account in the administrators set to use the Authentication sequence profile which is just mapped to the authentication profile anyway so can't imagine that is an issue. 

 

So We know the LDAP server profile is good, otherwise the population of users and groups wouldnt work. 

We know group mapping is working also as I have "paloaltoadmins" to the group include list.new_authprofile.PNGnew_authprofile1.PNG

 

 

And we know I am part of the PaloAltoAdmins group and it KNOWS this based on this output:

 

admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

short name: domain.lan\paloaltoadmins

source type: ldap
source: Centerstone_Users_and_Groups

[1 ] domain.lan\steven.williams.da

admin@PA500-01>

 

so I think its broke.

 

Code version 8.04

 

 

 

Hi s.williams,

 

For username modifier change that from %USERDOMAIN%\%USERINPUT% to just %USERINPUT% and check in WEBUI and see if that works.

 

The problem I can see with the older posts is that the domain name when it works fine is taking as domain.lan and when it is not working it is taking as domain only.

 

So try with %USERINPUT% and enter just the username in WEBUI and see if it works.

I dumped V8 as so many issues so lets hope its not that...

 

in your previous screen shots.....

 

auth profile - user domain...   you have greyed out domain info but left .lan showing.

 

auth profile -advanced...   you have greyed out domain info but not left .lan showing.

 

is this just a coincidence or are the domain names in both screen shots not exactly the same.

 

 

 

the username shows as domain\username not domain.lan\username

 

the main domain name is the same. 

so change your auth profile user domain to "domain" and not "domain.lan"

That did not work. i guess maybe time to open a ticket with support. 😞

Nooooooooooooooooo!... bummer.

 

Give me 2 mins, i will send a dump of my config and output so you can just check all is in place.

cli1.pngap2.pngap1.png

if you have time, just send as i have and include cli command and output.

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username steven.williams.da password
Enter password :

Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "domain\steven.williams.da" has exact match in allow list

Authentication to LDAP server at 10.100.21.210 for user "steven.williams.da"
Egress: 10.100.20.20
Type of authentication: GSSAPI
Starting LDAPS connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=Domain,DC=domain,DC=lan
User expires in days: never

Authentication succeeded for user "steven.williams.da"

admin@PA500-01>

 

Other windows are just like yours. 

 

Is the username I create in the local administrators case sensitive?

  • 12430 Views
  • 51 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!