07-17-2017 04:24 AM
Hello,
I`m trying to configure NTLM Authentification over Captive Portal for users in my network. I have PA-500. I set the next configuration parameters:
1. LDAP Server Profile
2. Authentication Profile
3. Authentication Policy (Authentication enforcement is "default-browser-challenge")
4. User-ID checkbox on the trust zone
5. Generate certificate and made SSL/TLS service Profile
6. Enable Captive Portal and NTLM Authentication with redirecting to IP-address of the trust zone Interface
7. Service Account included to Event Log Reader and Distributed COM groups and for this Account were delegated rights to join cmputers to domain.
8. In the ou=Computers was crteated Computer Account for my PA. Then Service account (by logs on DC) made some changes with that Computer Account and then deleted that Computer Account automatically.
And now users enter site names to IE address string and redirect to web-form authentication. But even if user enters the wright password, web-form writes "Wrong username/password" message. In system logs there are messages "SSO NTLM Authentication failed". And no entries in User - IP table.
Installed PAN OS - 8.0.3-h4.
I need agentless User-ID configuration with NTLM Authentification. What I'm doing wrong?
07-17-2017 05:57 AM
Is the failure strickly with IE? They made some changes that break this on IE11 unless you revert to how things were configured previously. The article below specifies what changes would have to be made.
07-17-2017 06:16 AM
IE is the base browser in our organization. Therefor I'm trying to connect to Internet exactly by IE. I saw thia article about IE11 a added Captive Portal redirect host to Intranet zone. But no effect...
07-17-2017 07:06 AM
Could you share a screenshot of your NTLM configuration. Also can you verify that you did not include the domain name within the Admin User section of the configuration.
07-17-2017 07:14 AM
You can find the screenshot:
07-17-2017 11:34 AM
I'm starting to wonder if the issue wasn't with the firewall removing itself from the computer OU that is causing you issues. You might want to disable NTLM comitt and then enable it again and see what happens.
When you run 'show user server-monitor state all' on the firewall do you see any NTLM stats there?
07-18-2017 12:30 AM
It's wonder for me too. Disable NTLM - Commit - Enable NTLM - Commit takes no effect.
Logs from DC:
Fnd the output from 'show user server-monitor state all':
UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled
May be I missed to set any parameter? Or this is a bug of PAN OS 8.0.3 ?
07-18-2017 05:40 AM
It could very well be a bug, it looks like you have everything configured correctly and your service account appears to be functioning perfectly fine. I would open a case with TAC if able so you can get their input.
07-18-2017 05:51 AM
Thank you. But now the best way is downgrade to 7.0.17?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
