I am trying to get AD authentication to work for GlobalProtect. I have been following this document https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmAdCAK for configuring the AD integration part, and it says:
Before you integrate a Palo Alto Networks device with AD, you must create a user ID in AD that you'll use to access LDAP. At a minimum, this account must be a member of the built-in Server Operators group in AD. For security reasons and to be compliant with the best practices, you should adhere to the minimum access rights for this account.
I put the account that I created in the Server Operators group, however when it tries to connect to a domain controller, I get Access Denied (Device > User Identification > User Mapping > Server Monitoring box). If I stick that account in the Domain Admins group, I get Connected. So, is the document wrong about the minimum required access rights, or am I missing a permission someplace else?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!