- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-31-2022 12:20 PM
Hi,
I currently have Palo running within a EVENG environment.
I have set up Global Protect, the problem seems to be every time I try to log into GP using an AD account. I am automatically logged out of the Palo GUI. Furthermore, the username/password does not even authenticate, even though the un/pw is correct,
Has anyone had this problem ?
Thank you in advance.
04-04-2022 09:54 AM
After further looking into this:
>less mp-log authd.log
2022-04-04 16:34:52.266 +0100 debug: _get_auth_prof_detail(pan_auth_util.c:1099): non-admin user thru Global Protect "GPuser" ; auth profile "AUTHPROFILE" ; vsys "vsys1"
2022-04-04 16:34:52.266 +0100 debug: _get_authseq_profile(pan_auth_util.c:886): Auth profile/vsys (AUTHPROFILE/vsys1) is NOT auth sequence
2022-04-04 16:34:52.266 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for AUTHPROFILE-vsys1-mfa
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1055): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: AU
THPROFILE/vsys1)
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1066): MFA configured, but bypassed for GP user ''. (prof/vsys: AUTHPROFILE/vsys1)
uest->username
2022-04-04 16:34:52.268 +0100 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-04-04 16:34:52.271 +0100 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1835): Authenticating user "GPuser" with <profile: "AUTHPROFILE", vsys: "vsys1">
2022-04-04 16:34:52.271 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AUTHPROFILE-vsys1
2022-04-04 16:34:52.273 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1132): searching basedn "DC=paloeveng, DC=local" for filter "(uid=GPuser)", attrs "framedIPAddress",
LDAPp=0x559d6c17c670
2022-04-04 16:34:52.338 +0100 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1193): Received empty DN for user "GPuser". Try to re-establish the connection
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1328): binding back to binddn: paservice@paloeveng.local (Try 1)
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:637): binding with binddn paservice@paloeveng.local
2022-04-04 16:34:52.358 +0100 Error: _start_sync_auth(pan_auth_service_handle.c:749): sync request for user "GPuser" is failed or possibly timed out against 192.168.150.10:389 with 0th VOID
p=0x559d6c17c670
gine.c:4322): auth status: auth state unknown
Strolled through the basedn on AD, which was correct
After looking into it further via
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC
There was a misconfiguration on the LDAP profile, which caused the issue.
Changed the following
The "Type" was set to "other" instead of "active-directory"
Thank you and I hope this helps anyone having the same issue.
03-31-2022 05:01 PM
It sounds to me like there are a few multiple issues going on. Let's start with the GP user... if you have the correct user/pass and it fails, have you configured to use a local account (and NOT a local admin account), but local user database user. You may want to try that first. If that works but fails with AD, then you may want to check your service account, credentials, IP, as this would be the last/final place to look.
As for the login to the GUI, please try to use 2 different browser instances (not 2 browser tabs)
I have seen this on my own computer, where I get logged out when I have same browser, but 2 tabs. I get logged out.
04-04-2022 06:17 AM - edited 04-04-2022 07:55 AM
Hi,
Thank you for your response.
I tried using another instance of the browser (chrome), but had the same issue. It logged me out straight away.
- just for clarity, I was using :4443 for the GUI portal and :443 for GP.
Used a completely different browser (Edge), AND that did RESOLVE the issue - my question is why would it sign you out on the same browser, it's using different ports.
====
With regard to the authentication locally, that is working fine.
I am able to log into GP with the un/pw set locally.
name VPN1 passwordE1> test authentication authentication-profile AUTH-Local user
Enter password :
Target vsys is not specified, user "VPN1" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "VPN1" is in group "all"
Authentication by Local User Database for user "VPN1"
Authentication succeeded for Local User Database user "VPN1"
==
I tested the authentication of the UN/PW and this is the output I get,
AD is connected, I can authenticate the username/password on the machine that are connected to the domain. It is only GP that does not want to work.
rname GPuser password test authentication authentication-profile AUTHPROFILE use
Enter password :
Target vsys is not specified, user "GPuser" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
user "paloeveng.local\GPuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "GPuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "GPuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "GPuser"
Authentication failed for user "GPuser"
Not sure what this is indicating
Received empty DN for user "GPuser"
Thanks,
04-04-2022 09:54 AM
After further looking into this:
>less mp-log authd.log
2022-04-04 16:34:52.266 +0100 debug: _get_auth_prof_detail(pan_auth_util.c:1099): non-admin user thru Global Protect "GPuser" ; auth profile "AUTHPROFILE" ; vsys "vsys1"
2022-04-04 16:34:52.266 +0100 debug: _get_authseq_profile(pan_auth_util.c:886): Auth profile/vsys (AUTHPROFILE/vsys1) is NOT auth sequence
2022-04-04 16:34:52.266 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for AUTHPROFILE-vsys1-mfa
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1055): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: AU
THPROFILE/vsys1)
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1066): MFA configured, but bypassed for GP user ''. (prof/vsys: AUTHPROFILE/vsys1)
uest->username
2022-04-04 16:34:52.268 +0100 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-04-04 16:34:52.271 +0100 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1835): Authenticating user "GPuser" with <profile: "AUTHPROFILE", vsys: "vsys1">
2022-04-04 16:34:52.271 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AUTHPROFILE-vsys1
2022-04-04 16:34:52.273 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1132): searching basedn "DC=paloeveng, DC=local" for filter "(uid=GPuser)", attrs "framedIPAddress",
LDAPp=0x559d6c17c670
2022-04-04 16:34:52.338 +0100 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1193): Received empty DN for user "GPuser". Try to re-establish the connection
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1328): binding back to binddn: paservice@paloeveng.local (Try 1)
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:637): binding with binddn paservice@paloeveng.local
2022-04-04 16:34:52.358 +0100 Error: _start_sync_auth(pan_auth_service_handle.c:749): sync request for user "GPuser" is failed or possibly timed out against 192.168.150.10:389 with 0th VOID
p=0x559d6c17c670
gine.c:4322): auth status: auth state unknown
Strolled through the basedn on AD, which was correct
After looking into it further via
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC
There was a misconfiguration on the LDAP profile, which caused the issue.
Changed the following
The "Type" was set to "other" instead of "active-directory"
Thank you and I hope this helps anyone having the same issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!