User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

Reply
Highlighted
L1 Bithead

User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

Hi Community,

 

Having a headache of an issue lately and I believe it to be an issue on the customer environment rather than a setting configuration on the firewall, or software issue in PAN-OS e.g.

 

I've little experience with enterprise active directory so I learn as I go.

 

At the moment, customer has been using the Domain DNS for User Domain settings on Authentication Profiles and Group Mappings.

 

I plan to change this and make sure to use the NetBIOS in place of the domain DNS for User Domain settings in Authentication Profiles and Group Mapping settings.

 

 

PAN-OS 9.0.8

Global Protect 5.1.3

Windows Server: Not Sure

 

In the customers environment, certain subnets, be it wired or wireless,  the ip-user-mapping are picked up as sometimes lan.corp.com/user or corp/user.

 

Therefore, an ip-user-mapping of lan.corp.com/user isn't recognized as being part of the AD group corp/webaccess  and security rule is never hit.

 

Same user will then remove the wired connection, will be picked up on a different ip-address via Wifi but is now seen on the firewall as corp/user, is seen inside AD group corp/webaccess and hits the rule, gaining web access.

 

*

*

Again issue happens when users try to authenticate from home via Global Protect. 

 

Verifying with command [ > tail follow yes mp-log authd ] users authentication will fail because lan.corp.com/user is not inside AD group globalprotect .... user will try again and again until eventually they are picked up as corp/user.

*

*

I've searched almost all of LiveCommunity, Fuel User Group and Support Portal Knowledgebase to see if this has come up before.

 

Most articles state the requirement of using NetBIOS in place of Domain DNS but nothing stating what steps the customer should do to verify domain mapping and AD is correct.

 

Please help

 

 

Highlighted
Cyber Elite

@SirchRettop,

It really sounds like you haven't set a Primary Username on the firewall since the introduction of multiple username formats with PAN-OS 8.1. I'd look at your group mappings and verify that your User Attributes are actually setup properly.

Highlighted
L0 Member

J'ai le même problème, certains utilisateurs sont identifiés comme netbiosdomain\user et dnsdomain\user

Quand ils sont reconnus comme netbiosdomaine\user, la règle de sécurité basée sur le groupe AD est bien appliquée.

Quand ils sont reconnus comme dnsdomain\user la règle n'est pas appliquée à l'utilisateur.

Quand je vais voir dans monitoring user-id, je vois que l'utilisateur est reconnu en dnsdomain\user quand la source retourne le user sous la forme user@dnsdomain. C'est ce qui pose problème. Pourquoi la source retourne user@dnsdomain... Comment faire pour ne pas avoir ce retour sous la forme user@dnsdomain mais n'avoir que le retour sous la forme netbiosdomain\user.

 

Highlighted
L0 Member

J'ai finalement trouvé la cause de ce problème d'authentification...

Mon domaine a un DN enregistré dans la foret, il faut donc créé un connecteur ldap vers cet autre domaine, ajouter un mapping de groupe vers ce domaine basé sur le même groupe Active Directory.

Une fois ceci effectué, tous les utilisateurs sont bien convertis en netbiosdomain\user

On a ce problème d'authentification sous la forme user@dnsdomain pour une machine quand paloalto a besoin de l'authentifier et que le domaine actuel est enregistré dans un autre domaine au niveau du DN du domaine.

Highlighted
L1 Bithead

I managed to solve the issue.

 

I tweaked the config and used the NetBIOS dns in place of the Domain dns in any setting where it asks for the 'Domain' input e.g. Group Mapping and Authentication Profiles 

 

Users are now always successfully matched in a security rule and also can authenticate over Global Protect without previous intermittent failures

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!