This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect SSO user id

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect SSO user id

markk96
L3 Networker

‎10-09-2014 10:19 AM

I have a portal and 3 gateways setup working with LDAP and active directory. It is setup to use user-logon with Single Sign On. All this works without issue. What I am having issues with is I have my firewalls intergrated with LDAP and Active directory groups, I use these groups for policy rules.    What I am seeing, is that the Global Protect user will sometimes show only userid in the traffic logs, and not domain\userid, at some point it will switch to using domain\userid.   This is causing me issues.  Any thoughts?

1 person had this problem.
0 Likes Likes
10 REPLIES 10

bat
L5 Sessionator

‎10-09-2014 10:21 AM

markk96

I have usually seen this issue when "Enable Server Session Read" is enabled and the user tries to access any resources such as printers etc. Can you check if it is enabled and try disabling it if possible ?

Hope it helps !

0 Likes Likes

markk96
L3 Networker
In response to bat

‎10-09-2014 10:22 AM

Where is that setting?

0 Likes Likes

bat
L5 Sessionator
In response to markk96

‎10-09-2014 10:25 AM

On the UserID agent or on the firewall (if Agentless)

0 Likes Likes

markk96
L3 Networker
In response to bat

‎10-09-2014 10:29 AM

I have about 21 user id agents servers spread out across the globe, the default setting is set to 'NO' for Enable Server Session Read.

0 Likes Likes

bat
L5 Sessionator
In response to markk96

‎10-09-2014 10:35 AM

Do you by any chance the same user in the local database on the firewall ?

0 Likes Likes

markk96
L3 Networker
In response to bat

‎10-09-2014 10:39 AM

No local users configured. 

0 Likes Likes

bat
L5 Sessionator
In response to markk96

‎10-09-2014 10:45 AM

Also can you verify if domain name is correctly configured in server profile that you are using in the authentication profile for authentication in GP.

0 Likes Likes

markk96
L3 Networker
In response to bat

‎10-09-2014 10:54 AM

In the ldap server profile I left the domain blank, but when do a show user user-ids match i get domain\user.  I added the domain local name to the server profile.  When I tested global connect the traffic logs showed the id without the domain, but then switched over to domain\user after about a minute.  not sure if i just caught it on the cycle or not.

0 Likes Likes

bat
L5 Sessionator
In response to markk96

‎10-09-2014 11:00 AM

markk96 Make sure it is the netbios domain name, to find out netbios domain name: How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server

markk96
L3 Networker
In response to bat

‎10-09-2014 11:01 AM

I did put the netbios name in, so far so good.  Thank you so much.

  • 5195 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks