GP / PA GUI fault

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP / PA GUI fault

L1 Bithead

Hi, 

 

I currently have Palo running within a EVENG environment.

I have set up Global Protect, the problem seems to be every time I try to log into GP using an AD account. I am automatically logged out of the Palo GUI. Furthermore, the username/password does not even authenticate, even though the un/pw is correct,

 

Has anyone had this problem ? 

 

Thank you in advance.

1 accepted solution

Accepted Solutions

After further looking into this:

 

>less mp-log authd.log

2022-04-04 16:34:52.266 +0100 debug: _get_auth_prof_detail(pan_auth_util.c:1099): non-admin user thru Global Protect "GPuser" ; auth profile "AUTHPROFILE" ; vsys "vsys1"
2022-04-04 16:34:52.266 +0100 debug: _get_authseq_profile(pan_auth_util.c:886): Auth profile/vsys (AUTHPROFILE/vsys1) is NOT auth sequence
2022-04-04 16:34:52.266 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for AUTHPROFILE-vsys1-mfa
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1055): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: AU
THPROFILE/vsys1)
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1066): MFA configured, but bypassed for GP user ''. (prof/vsys: AUTHPROFILE/vsys1)
uest->username
2022-04-04 16:34:52.268 +0100 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-04-04 16:34:52.271 +0100 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1835): Authenticating user "GPuser" with <profile: "AUTHPROFILE", vsys: "vsys1">
2022-04-04 16:34:52.271 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AUTHPROFILE-vsys1


2022-04-04 16:34:52.273 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1132): searching basedn "DC=paloeveng, DC=local" for filter "(uid=GPuser)", attrs "framedIPAddress",
LDAPp=0x559d6c17c670
2022-04-04 16:34:52.338 +0100 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1193): Received empty DN for user "GPuser". Try to re-establish the connection


2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1328): binding back to binddn: paservice@paloeveng.local (Try 1)
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:637): binding with binddn paservice@paloeveng.local
2022-04-04 16:34:52.358 +0100 Error: _start_sync_auth(pan_auth_service_handle.c:749): sync request for user "GPuser" is failed or possibly timed out against 192.168.150.10:389 with 0th VOID
p=0x559d6c17c670
gine.c:4322): auth status: auth state unknown

 

Strolled through the basedn on AD, which was correct

Vimz888_3-1649091054600.png

 

After looking into it further via 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC

 

There was a misconfiguration on the LDAP profile, which caused the issue.

 

Vimz888_0-1649090489028.png

Changed the following

 

Vimz888_1-1649090522697.png

 

The "Type" was set to "other" instead of "active-directory"

 

Vimz888_2-1649090551274.png

 

Thank you and I hope this helps anyone having the same issue.

 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

It sounds to me like there are a few multiple issues going on.    Let's start with the GP user... if you have the correct user/pass and it fails, have you configured to use a local account (and NOT a local admin account), but local user database user.  You may want to try that first.  If that works but fails with AD, then you may want to check your service account, credentials, IP, as this would be the last/final place to look.
As for the login to the GUI, please try to use 2 different browser instances (not 2 browser tabs)

I have seen this on my own computer, where I get logged out when I have same browser, but 2 tabs.  I get logged out.

Help the community: Like helpful comments and mark solutions

Hi,

 

Thank you for your response. 

 

I tried using another instance of the browser (chrome), but had the same issue. It logged me out straight away.

- just for clarity, I was using :4443 for the GUI portal and :443 for GP. 

 

Used a completely different browser (Edge), AND that did RESOLVE the issue - my question is why would it sign you out on the same browser, it's using different ports.

 

====

With regard to the authentication locally, that is working fine.

 

I am able to log into GP with the un/pw set locally.

 

name VPN1 passwordE1> test authentication authentication-profile AUTH-Local user
Enter password :

Target vsys is not specified, user "VPN1" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "VPN1" is in group "all"

Authentication by Local User Database for user "VPN1"

Authentication succeeded for Local User Database user "VPN1"

 

==

I tested the authentication of the UN/PW and this is the output I get, 

AD is connected, I can authenticate the username/password on the machine that are connected to the domain. It is only GP that does not want to work.

 

rname GPuser password test authentication authentication-profile AUTHPROFILE use
Enter password :

Target vsys is not specified, user "GPuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\GPuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "GPuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "GPuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "GPuser"


Authentication failed for user "GPuser"

 

Not sure what this is indicating 

Received empty DN for user "GPuser"

 

Thanks, 

 

 

 

 

 

 

 

 

 

 

After further looking into this:

 

>less mp-log authd.log

2022-04-04 16:34:52.266 +0100 debug: _get_auth_prof_detail(pan_auth_util.c:1099): non-admin user thru Global Protect "GPuser" ; auth profile "AUTHPROFILE" ; vsys "vsys1"
2022-04-04 16:34:52.266 +0100 debug: _get_authseq_profile(pan_auth_util.c:886): Auth profile/vsys (AUTHPROFILE/vsys1) is NOT auth sequence
2022-04-04 16:34:52.266 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for AUTHPROFILE-vsys1-mfa
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1055): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: AU
THPROFILE/vsys1)
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1066): MFA configured, but bypassed for GP user ''. (prof/vsys: AUTHPROFILE/vsys1)
uest->username
2022-04-04 16:34:52.268 +0100 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-04-04 16:34:52.271 +0100 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1835): Authenticating user "GPuser" with <profile: "AUTHPROFILE", vsys: "vsys1">
2022-04-04 16:34:52.271 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AUTHPROFILE-vsys1


2022-04-04 16:34:52.273 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1132): searching basedn "DC=paloeveng, DC=local" for filter "(uid=GPuser)", attrs "framedIPAddress",
LDAPp=0x559d6c17c670
2022-04-04 16:34:52.338 +0100 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1193): Received empty DN for user "GPuser". Try to re-establish the connection


2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1328): binding back to binddn: paservice@paloeveng.local (Try 1)
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:637): binding with binddn paservice@paloeveng.local
2022-04-04 16:34:52.358 +0100 Error: _start_sync_auth(pan_auth_service_handle.c:749): sync request for user "GPuser" is failed or possibly timed out against 192.168.150.10:389 with 0th VOID
p=0x559d6c17c670
gine.c:4322): auth status: auth state unknown

 

Strolled through the basedn on AD, which was correct

Vimz888_3-1649091054600.png

 

After looking into it further via 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC

 

There was a misconfiguration on the LDAP profile, which caused the issue.

 

Vimz888_0-1649090489028.png

Changed the following

 

Vimz888_1-1649090522697.png

 

The "Type" was set to "other" instead of "active-directory"

 

Vimz888_2-1649090551274.png

 

Thank you and I hope this helps anyone having the same issue.

 

  • 1 accepted solution
  • 2624 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!