Problem with domain users to log in Palo Alto's Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem with domain users to log in Palo Alto's Portal

Not applicable

HI all. I have the problem with domain users to log in Palo Alto's Portal. I configured as document: Admin Guide v5.0 already. However, It doesn't work correctly, domain account cannot log in. Please support me to fix this problem. Thanks

7 REPLIES 7

L4 Transporter

Are you using agent or agentless options od AD integration?

Please share with us screenshot of your LDAP profile (in domain field should be netbios name of your domain - this is common mistake)

Regards

Slawek

Hi Slv,

I used agentless AD integration.

My LDAP profile Picture as below:

Palo Alto sees user accounts in domain:

However I configured domain user account to enable log on Portal of Palo Alto as below:

After that, I log in Palo Alto Portal, but error appears

This user belongs to domain.

Thanks

Regards,

L4 Transporter

Hi Hientt

2014-03-03_125218.png

The field with arrow is really empty?

From CLI please lunch

show user ip-user-mapping all

or

show user user-IDs match-user g10005

Did You see users from selected OU ?

Regards

SLawek

Hi,

The field with arrow is empty.

From CLI, I typed as your comment and saw  information of user accounts:

Thanks

Please put in Domain your netbios domain name, ie for contoso.local you should put there contoso

If You try to logon using contoso\g10005 what did you get in system logs related to logon process?

What version of PAN are You using?

I have 5.0.9 and in Device>Management>Authentication settings I have info "Authentication profile to use for non-local admins. Only RADIUS method is supported."

Maybe thsi is a problem?

Regards

Slawek

Hi Slv,

I have version 5.0.8. In addition, I have domain name. For example: abc.cde.local .So What do I have to put in Domain ?

I'm from Vietnam,  so I came back home. I will try later.

Thanks

That's good question, in my opinion please put abc.cde and try to logon using abc.cde\g10005.

I can recomendate for troubleshooting create security policy that will allow ie. accees for google.com only for g10005 user and You will see is it working or now.

Regards

Slawek

  • 3273 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!