Global Protect SSO user id

Reply
L3 Networker

Global Protect SSO user id

I have a portal and 3 gateways setup working with LDAP and active directory. It is setup to use user-logon with Single Sign On. All this works without issue. What I am having issues with is I have my firewalls intergrated with LDAP and Active directory groups, I use these groups for policy rules.    What I am seeing, is that the Global Protect user will sometimes show only userid in the traffic logs, and not domain\userid, at some point it will switch to using domain\userid.   This is causing me issues.  Any thoughts?

L5 Sessionator

markk96

I have usually seen this issue when "Enable Server Session Read" is enabled and the user tries to access any resources such as printers etc. Can you check if it is enabled and try disabling it if possible ?

Hope it helps !

L3 Networker

Where is that setting?

L5 Sessionator

On the UserID agent or on the firewall (if Agentless)

L3 Networker

I have about 21 user id agents servers spread out across the globe, the default setting is set to 'NO' for Enable Server Session Read.

L5 Sessionator

Do you by any chance the same user in the local database on the firewall ?

L3 Networker

No local users configured. 

L5 Sessionator

Also can you verify if domain name is correctly configured in server profile that you are using in the authentication profile for authentication in GP.

L3 Networker

In the ldap server profile I left the domain blank, but when do a show user user-ids match i get domain\user.  I added the domain local name to the server profile.  When I tested global connect the traffic logs showed the id without the domain, but then switched over to domain\user after about a minute.  not sure if i just caught it on the cycle or not.

L5 Sessionator

markk96 Make sure it is the netbios domain name, to find out netbios domain name: How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!