08-04-2025 05:20 PM - edited 08-04-2025 05:21 PM
Hi
When I'm running "test authentication authentication-profile "'LDAP Auth Profile" username myldapUser password" on the ssh cli, it authenticates successfully.
however when i try to log in on the web interface of global protect, i get this on the webui log:
failed authentication for user 'myDomain\myldapUser'. Reason: Invalid username/password. auth profile 'LDAP Auth Profile', vsys 'vsys1', server profile 'myDomain Active Directory', server address 'myLDAP-IP', From: myHomeIP.
(i'm not entirely sure what is vsys1 but i understand it is the default virtual system and it cannot be deleted.)
I'm not sure what I am doing wrong.
In GlobalProtect Portal Configuration / Authentication I set the "LDAP Auth Profile" as first.
"
In the authentication profile i set "%USERINPUT%@%USERDOMAIN%" and add myDomain.local above it and in the Advanced tab i added "All".
Please let me know what additional info i need to provide, and/or if what to do to make this work
thanks
08-05-2025 10:45 AM
Thanks.
The solution was to add sAMAccountName for "Login Attribute" and not to use myDomain.local but DC=myDomain,DC=local where it is asking for "User Domain:" which is far from obvious. But I thought it worth a try.
Maybe this will help others.
08-05-2025 01:24 AM
Hi @gabe ,
Username format mismatch is a likely cause of this.
The CLI test uses the exact username you type, but the GlobalProtect portal's web form and its configuration may be reformatting the username before sending it to the LDAP server.
Your portal log shows "myDomain\myldapUser," which is the sAMAccountName format. Your CLI test likely worked with "myldapUser". The LDAP server profile may be configured to expect a different format, such as an email address or a different domain.
In your Authentication Profile, you have "%USERINPUT%@%USERDOMAIN%". This setting is correct for formats like "user@domain.com". However, if your users are accustomed to logging in with "myDomain\myldapUser", you need to explicitly tell the firewall to handle that.
Ensure the Login Attribute is set correctly to match the type of username you are sending.
For example if you're using %USERINPUT%@%USERDOMAIN%, the Login Attribute should be userPrincipalName. If you're using just %USERINPUT% (and your users don't include the domain), it should be sAMAccountName.
Hope this helps,
-Kim.
08-05-2025 10:45 AM
Thanks.
The solution was to add sAMAccountName for "Login Attribute" and not to use myDomain.local but DC=myDomain,DC=local where it is asking for "User Domain:" which is far from obvious. But I thought it worth a try.
Maybe this will help others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
