PAN OS 5.0 and AD authentication problem

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN OS 5.0 and AD authentication problem

Not applicable


I have a little problem with my PA-5020. After upgrading OS to a 5.0 version my user authentication to log on as an administrator from ldap and kerberos doesn`t work. I had user mapped to an allowed list by AD group:

cn=administratorzy paloalto,ou=urzĄdzenia,ou=grupy zasobÓw,dc=my,dc=domain,dc=name,

it was working fine with os 4.X  but after updating to a 5.0 i got errors:

User '\myuser' failed authentication.  Reason: User is not in allowlist From: x.x.x.x

After adding user directly ("\myuser") to allow list it works perfectly.

At first i thought it was problem with my OU names containing ó,ą which are polish letters, but i moved that group to a different OU without theme and it still doesn`t work.

It looks like PA doesn`t see members of my groups.

Weird thing is that I also have policy based on user belonging to a different groups and that mapping works fine.


Thank you Rod. Glad to know that script is working on your network

1.   1st issue-- Are you using PA as corp firewall or just Vwire. we got two bugs after upgrading to 5.0.3 with network, we rolled back to 4.1.7h2. Currently waiting for last one bug fix

2.   2nd issue-- I had some screen shots of setting (not all) Basically we followed Cert is on tested laptop and we did see pre-logon in admin webgui before alt,del and ctrl keys are pressed. We unchecked Ipsec and use SSL only.  but we did not put pre-logon (we use any)  in source user client configuration on page 50 of DOC-2020

Question:  Do you leave blank on LDAP configuration under Domain section ?

                Is VPN connection detail on GP client or on Admin GUI ?

I am also waiting for bug fix ( we have already been hit by lots of bugs). So we have 85% CPU on Dataplane not sure what your DP usage during peak hours. Will do the GP test on the new firmware

Thank you


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!