This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Authentication Sequence

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication Sequence

gsteiner
L3 Networker

‎03-20-2012 03:43 AM

I got two AD Domains.

I did the two ldap and two kerberos configs

In the Authentication Sequence ch-dom ist the first one and the second is stebos. They are both kerberos profiles

Users in ch-dom can authenticate. User in stebos get immediatly a auth failer.

LDAP is working on both AD, I can see users and groups.

In Traffic Monitor I don't see kerberos traffic to the ad server holding stebos. Whats wrong??

Mar 20 11:27:40 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:40 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:40 User 'ch-dom\testvpn' failed authentication.  Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:41 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:41 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:41 User 'stebos\testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.
Mar 20 11:27:41 User 'testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:41 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:41 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:41 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:41 User 'ch-dom\testvpn' failed authentication.  Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:42 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:42 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:42 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:42 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:42 User 'stebos\testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: True.
Mar 20 11:27:42 User 'testvpn' failed authentication.  Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

0 Likes Likes
11 REPLIES 11

gsteiner
L3 Networker
In response to gsteiner

‎03-21-2012 02:07 AM

Rofl...i now changed it from dns proxy object back to dns and entered the ip address of the firewall interface with the dns proxy...and guess what that works..

Guess that dns proxy object use only primary dns and secondary but ignores proxy rules

0 Likes Likes

gsteiner
L3 Networker
In response to gsteiner

‎03-21-2012 03:43 AM

one point more...this works...but only because i entered as secondary the dns proxy of the main firewall. you can't use the dns proxy on the same firewall.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks