This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Authentication seems to be the most difficult task....

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

Authentication seems to be the most difficult task....

Go to solution
s.williams1
L4 Transporter

‎10-06-2017 06:10 AM

No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

!

!

!

dmin@TN-19023-PA500-01> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN : ldap.read@domain.lan
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
10.100.6.205(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
10.100.6.210(636)
10.100.21.210(636)
10.110.6.210(636)
Number of Groups: 1
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

admin@PA500-01>

!

!

!

AD group.PNGAuth_Profile.PNGseq.PNG

 

 

0 Likes Likes
51 REPLIES 51

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 05:20 AM

That didnt work either, but do I need to add my individual name to the group mappings? I mean i have domain users in the group mappings which inclueds "EVERYONE" in the domain.

 

System Log:

 

failed authentication for user \'\'.  Reason: Authentication profile not found for the user. From: 10.100.22.16.

 

Looks like it didnt even know what user was trying to login. 

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to s.williams1

‎10-11-2017 05:29 AM

No, you do not need to add individual users for this to work, i was just trying to see if it was failing at group level.

 

it's very difficult when i cant see your domain info as cant see if all boxes are correct in various pages.

 

1, did your name auto populate when you started to add it in auth profile advanced and dit it include the domain name.

2. is the domain name from Q1 entered into the domain field on both group mapping and auth profile pages. 

0 Likes Likes

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 05:35 AM

Yes the name auto populated. Came right up so thats good. For your next question, when I open the "Group Mapping" are you referring to the area under Domain Setting labeled "User Domain" if so, that value is empty. The server profile is set to what I am using in the LDAP server profile so shouldnt it know the user domain?

 

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to s.williams1

‎10-11-2017 05:57 AM

yes the field can be left blank as it will obtain the domain name from ldap server profile. you only need to enter a value if you need to overide the ldap value but just trying to see whats different from yours tou mine.

 

the only difference really is that my netbios domain name does not include a "." as in your xxx.lan domain name.

 

shame we cannot setup a webmeeting,

 

i have a recap and get back to you...

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Mick_Ball

‎10-11-2017 06:00 AM

also on your previous cli test authentication...

 

failed authentication for user \'\'.  Reason: Authentication profile not found for the user. From: 10.100.22.16.

 

could you post the command and output.

 

sorry this is dragging on, I am no expert but we have quite a few LDAP profiles, hundreds of group mappings/restrictions and all seem to work well.....

0 Likes Likes

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 06:16 AM

That error came from the system logs. I'm not worried about amount of time, I have been stuck for weeks, and it seems so simple for every article and forum I have read. 

 

Still this:

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username steven.williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User steven.williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

 

I have the user account in the administrators set to use the Authentication sequence profile which is just mapped to the authentication profile anyway so can't imagine that is an issue. 

 

So We know the LDAP server profile is good, otherwise the population of users and groups wouldnt work. 

We know group mapping is working also as I have "paloaltoadmins" to the group include list.new_authprofile.PNGnew_authprofile1.PNG

 

 

And we know I am part of the PaloAltoAdmins group and it KNOWS this based on this output:

 

admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

short name: domain.lan\paloaltoadmins

source type: ldap
source: Centerstone_Users_and_Groups

[1 ] domain.lan\steven.williams.da

admin@PA500-01>

 

so I think its broke.

 

Code version 8.04

 

 

 

0 Likes Likes

Go to solution
hpunjabi
L2 Linker
In response to s.williams1

‎10-11-2017 06:23 AM

Hi s.williams,

 

For username modifier change that from %USERDOMAIN%\%USERINPUT% to just %USERINPUT% and check in WEBUI and see if that works.

 

The problem I can see with the older posts is that the domain name when it works fine is taking as domain.lan and when it is not working it is taking as domain only.

 

So try with %USERINPUT% and enter just the username in WEBUI and see if it works.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to s.williams1

‎10-11-2017 06:39 AM

I dumped V8 as so many issues so lets hope its not that...

 

in your previous screen shots.....

 

auth profile - user domain...   you have greyed out domain info but left .lan showing.

 

auth profile -advanced...   you have greyed out domain info but not left .lan showing.

 

is this just a coincidence or are the domain names in both screen shots not exactly the same.

 

 

 

0 Likes Likes

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 06:41 AM

the username shows as domain\username not domain.lan\username

 

the main domain name is the same. 

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to s.williams1

‎10-11-2017 06:43 AM

so change your auth profile user domain to "domain" and not "domain.lan"

0 Likes Likes

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 08:04 AM

That did not work. i guess maybe time to open a ticket with support. 😞

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to s.williams1

‎10-11-2017 08:08 AM

Nooooooooooooooooo!... bummer.

 

Give me 2 mins, i will send a dump of my config and output so you can just check all is in place.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Mick_Ball

‎10-11-2017 08:15 AM

cli1.pngap2.pngap1.png

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Mick_Ball

‎10-11-2017 08:16 AM

if you have time, just send as i have and include cli command and output.

0 Likes Likes

Go to solution
s.williams1
L4 Transporter
In response to Mick_Ball

‎10-11-2017 08:26 AM

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username steven.williams.da password
Enter password :

Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "domain\steven.williams.da" has exact match in allow list

Authentication to LDAP server at 10.100.21.210 for user "steven.williams.da"
Egress: 10.100.20.20
Type of authentication: GSSAPI
Starting LDAPS connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=Domain,DC=domain,DC=lan
User expires in days: never

Authentication succeeded for user "steven.williams.da"

admin@PA500-01>

 

Other windows are just like yours. 

 

Is the username I create in the local administrators case sensitive?

0 Likes Likes
  • 15068 Views
  • 51 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks