- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-03-2014 02:06 AM
HI all. I have the problem with domain users to log in Palo Alto's Portal. I configured as document: Admin Guide v5.0 already. However, It doesn't work correctly, domain account cannot log in. Please support me to fix this problem. Thanks
03-03-2014 02:30 AM
Are you using agent or agentless options od AD integration?
Please share with us screenshot of your LDAP profile (in domain field should be netbios name of your domain - this is common mistake)
Regards
Slawek
03-03-2014 03:42 AM
Hi Slv,
I used agentless AD integration.
My LDAP profile Picture as below:
Palo Alto sees user accounts in domain:
However I configured domain user account to enable log on Portal of Palo Alto as below:
After that, I log in Palo Alto Portal, but error appears
This user belongs to domain.
Thanks
Regards,
03-03-2014 03:57 AM
Hi Hientt
The field with arrow is really empty?
From CLI please lunch
show user ip-user-mapping all
or
show user user-IDs match-user g10005
Did You see users from selected OU ?
Regards
SLawek
03-03-2014 04:14 AM
Hi,
The field with arrow is empty.
From CLI, I typed as your comment and saw information of user accounts:
Thanks
03-03-2014 04:27 AM
Please put in Domain your netbios domain name, ie for contoso.local you should put there contoso
If You try to logon using contoso\g10005 what did you get in system logs related to logon process?
What version of PAN are You using?
I have 5.0.9 and in Device>Management>Authentication settings I have info "Authentication profile to use for non-local admins. Only RADIUS method is supported."
Maybe thsi is a problem?
Regards
Slawek
03-03-2014 04:38 AM
Hi Slv,
I have version 5.0.8. In addition, I have domain name. For example: abc.cde.local .So What do I have to put in Domain ?
I'm from Vietnam, so I came back home. I will try later.
Thanks
03-03-2014 04:55 AM
That's good question, in my opinion please put abc.cde and try to logon using abc.cde\g10005.
I can recomendate for troubleshooting create security policy that will allow ie. accees for google.com only for g10005 user and You will see is it working or now.
Regards
Slawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!