User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID - Active Directory Keeps Sending Domain DNS and NetBIOS DNS

L2 Linker

Hi Community,


Having a headache of an issue lately and I believe it to be an issue on the customer environment rather than a setting configuration on the firewall, or software issue in PAN-OS e.g.


I've little experience with enterprise active directory so I learn as I go.


At the moment, customer has been using the Domain DNS for User Domain settings on Authentication Profiles and Group Mappings.


I plan to change this and make sure to use the NetBIOS in place of the domain DNS for User Domain settings in Authentication Profiles and Group Mapping settings.



PAN-OS 9.0.8

Global Protect 5.1.3

Windows Server: Not Sure


In the customers environment, certain subnets, be it wired or wireless,  the ip-user-mapping are picked up as sometimes or corp/user.


Therefore, an ip-user-mapping of isn't recognized as being part of the AD group corp/webaccess  and security rule is never hit.


Same user will then remove the wired connection, will be picked up on a different ip-address via Wifi but is now seen on the firewall as corp/user, is seen inside AD group corp/webaccess and hits the rule, gaining web access.




Again issue happens when users try to authenticate from home via Global Protect. 


Verifying with command [ > tail follow yes mp-log authd ] users authentication will fail because is not inside AD group globalprotect .... user will try again and again until eventually they are picked up as corp/user.



I've searched almost all of LiveCommunity, Fuel User Group and Support Portal Knowledgebase to see if this has come up before.


Most articles state the requirement of using NetBIOS in place of Domain DNS but nothing stating what steps the customer should do to verify domain mapping and AD is correct.


Please help




Cyber Elite
Cyber Elite


It really sounds like you haven't set a Primary Username on the firewall since the introduction of multiple username formats with PAN-OS 8.1. I'd look at your group mappings and verify that your User Attributes are actually setup properly.

L0 Member

J'ai le même problème, certains utilisateurs sont identifiés comme netbiosdomain\user et dnsdomain\user

Quand ils sont reconnus comme netbiosdomaine\user, la règle de sécurité basée sur le groupe AD est bien appliquée.

Quand ils sont reconnus comme dnsdomain\user la règle n'est pas appliquée à l'utilisateur.

Quand je vais voir dans monitoring user-id, je vois que l'utilisateur est reconnu en dnsdomain\user quand la source retourne le user sous la forme user@dnsdomain. C'est ce qui pose problème. Pourquoi la source retourne user@dnsdomain... Comment faire pour ne pas avoir ce retour sous la forme user@dnsdomain mais n'avoir que le retour sous la forme netbiosdomain\user.


J'ai finalement trouvé la cause de ce problème d'authentification...

Mon domaine a un DN enregistré dans la foret, il faut donc créé un connecteur ldap vers cet autre domaine, ajouter un mapping de groupe vers ce domaine basé sur le même groupe Active Directory.

Une fois ceci effectué, tous les utilisateurs sont bien convertis en netbiosdomain\user

On a ce problème d'authentification sous la forme user@dnsdomain pour une machine quand paloalto a besoin de l'authentifier et que le domaine actuel est enregistré dans un autre domaine au niveau du DN du domaine.

L2 Linker

I managed to solve the issue.


I tweaked the config and used the NetBIOS dns in place of the Domain dns in any setting where it asks for the 'Domain' input e.g. Group Mapping and Authentication Profiles 


Users are now always successfully matched in a security rule and also can authenticate over Global Protect without previous intermittent failures

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!