- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-29-2021 02:10 PM
Hi,
I have a test AD/PA setup.
AD and LDAP connectivity is okay so far.
My problem is that I am unable to authenticate any user against Global Protect.
The un/pw are correct.
The group are correct too, as far as I can see.
This is the output i get when trying to authenticate:
SITE1> test authentication authentication-profile AUTHPROFILE username paloeveng.local\gpuser password
Enter password :
Target vsys is not specified, user "paloeveng.local\gpuser" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "paloeveng.local\gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "paloeveng.local\gpuser"
Authentication failed for user "paloeveng.local\gpuser"
===========
SITE1> show user group name "cn=paloalto,ou=firewall,dc=paloeveng,dc=local"
short name: paloeveng.local\paloalto
source type: ldap
source: Paloeveng-profile
[1 ] paloeveng.local\gpuser
===========
What am i missing within the config?
Thank you in advance.
11-29-2021 06:14 PM
Have you verified the actual authentication profile that you're attempting to utilize? That's really where I would be focusing my attention on.
Do you have sAMAccountName for the Login Attribute? Do you specify your User Domain or Username Modifier?
11-30-2021 12:53 PM
Hi,
The authentication is against the below:
a user called "gpuser" is part of this
When I try to authenticate the user "gpuser" against AD, i get the following message:
-SITE1> test authentication authentication-profile AUTHPROFILE username gpuser password
Enter password :
Target vsys is not specified, user "gpuser" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "gpuser"
Authentication failed for user "gpuser"
- I am not sure what this bit means "Received empty DN for user "gpuser""
If you need anymore info, let me know.
Thanks.
03-31-2022 01:29 PM
Hi,
Does anyone know how to resolve this?
Thanks,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!