This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Authentication Sequence
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Authentication Sequence
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Authentication Sequence
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-20-2012 03:43 AM
I got two AD Domains.
I did the two ldap and two kerberos configs
In the Authentication Sequence ch-dom ist the first one and the second is stebos. They are both kerberos profiles
Users in ch-dom can authenticate. User in stebos get immediatly a auth failer.
LDAP is working on both AD, I can see users and groups.
In Traffic Monitor I don't see kerberos traffic to the ad server holding stebos. Whats wrong??
Mar 20 11:27:40 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:40 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:40 User 'ch-dom\testvpn' failed authentication. Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:41 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:41 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:41 User 'stebos\testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.
Mar 20 11:27:41 User 'testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:41 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:41 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:41 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:41 User 'ch-dom\testvpn' failed authentication. Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:42 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:42 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:42 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:42 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:42 User 'stebos\testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: True.
Mar 20 11:27:42 User 'testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
11 REPLIES 11
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-20-2012 11:49 AM
multiple instances of the same user id in different domains?
Question: why LDAP and kerberos? Why not just use kerberos? You using 4.1.x PAN OS and 4.1 pan agent?
The fact that LDAP can browse and see the users and groups is independent of Kerberos being able to. If the auth sequences are using kerberos, and all users from stebos domain are failing, then maybe the kerberos server profile for that domain is incorrectly set?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-20-2012 10:36 PM
ldap is only for group matching thats correct.
Well i found out that keberos is not working on that domain...currently I have no idea why it works on ch-dom and do not work on stebos. Could that be a DNS issue?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-20-2012 10:37 PM
Oh yes I use 4.1.4 PAN OS and no i use user identification on the interface since i need it for global protect.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-20-2012 10:46 PM
Looks like i found my own answer
DNS Entries
If you are using Active Directory, it is easiest to use the AD DNS server as the PAN firewall DNS server. DNS entries already exist on this server that are needed for Kerberos authentication. If this option is not possible, make sure the DNS server that the PAN is using has Service Location(SRV) DNS entries for _kerberos._tcp and _kerberos._udp.
Related Content
- Server Monitoring of User-ID agent set-up shows Authentication failed /Connection refused error in General Topics
- Issue using MFA in GlobalProtect ) in GlobalProtect Discussions
- SAML Role Mapping in XSOAR in Cortex XSOAR Discussions
- SSO window not signing in automatically in GlobalProtect Discussions
- Global Protect multiple VPN and multiple authentication methods in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks