- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-12-2023 02:07 AM
I have created a LDAP profile, group mapping and user mapping from Panorama, and it seems to be working.
Im able to do "test authentication username xxxxxxx.test@xxxxxxxxx.com authentication-profile xxxxxx-LDAP password and this works fine.
My problem is that panorama doesnt seem to be able to "manage" Palo Alto Networks User ID Agent Setup tab.
That tab is empty on local fw (device->User identification->User Mapping), if i enter anything in this tab, anything at all, i get the error msg bellow. Eventho Panorama has this config. I thought it was a template issue, so i created a test template and added all this config
in the new test template. And put it on top, but no luck. If i try to configure it manually i get the following error msg.
From mp-log userid.log:
2023-09-12 09:18:26.617 +0200 connects to redis_dscd db1
2023-09-12 09:18:26.716 +0200 dsc adaptor completed rpc call for func ShowUser
2023-09-12 09:18:26.717 +0200 connects to redis_dscd db1
2023-09-12 09:19:12.608 +0200 device cert: NEW: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: OLD: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: Recevied (change) event for device cert. Update dsc connections.
2023-09-12 09:19:12.609 +0200 Error: pan_dsc_rpc_get_thermite_cert(pan_dsc_adaptor.c:691): [THERMITE] dsc rpc get device cert failed
2023-09-12 09:19:12.609 +0200 dsc adaptor completed rpc call for func UpdateThermiteCert
2023-09-12 09:20:04.302 +0200 phase1 started
2023-09-12 09:20:04.304 +0200 parsing config: config length 186610
2023-09-12 09:20:04.319 +0200 <vsys> tag does not exist
2023-09-12 09:20:04.319 +0200 mgmt internal: client certificate profile commit
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection server mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings SERVER
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for SERVER
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection client mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings CLIENT
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for CLIENT
2023-09-12 09:20:04.322 +0200 [secure_conn] user_id secure conn cfg SERVER:disabled CLIENT:disabled
2023-09-12 09:20:04.324 +0200 hipreport to icd channel: 1
2023-09-12 09:20:04.326 +0200 no wmi account is configured, no need to probe
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_dir_server_parse_cfg(pan_user_id_collector.c:409): Domain's DNS name is missing in Active Directory Authentication
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_collector_parse_cfg(pan_user_id_collector.c:2217): pan_user_id_dir_server_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_vsys_config(pan_user_id_cfg.c:818): pan_userid_collector_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_config_i(pan_user_id_cfg.c:1515): pan_user_id_parse_vsys_config() failed
So im missing domains dns name in active directory authentication. If this is the auth profile, i got the user domain set correct. Does anyone know
where "Domain's DNS name is missing in Active Directory Authentication" is?
/M
09-12-2023 11:31 AM
We are running 10.2.3 both on Panorama and fw. So thats probably whats wrong. Only thing is that I cant add the config manually on the local fw. Says i need to override the template. And there isnt any gear icon to override... What vers. Panos is this fixed in?
/M
09-12-2023 05:47 AM - edited 09-12-2023 05:48 AM
What Panorama version are you using?
It was a bug in Panorama 10.2.x (at least up to 10.2.3) when UserID info in Panorama template was not pushed down to template stack and as a result not sent to firewall.
09-12-2023 05:51 AM
Are you using the built in user-id agent for this? If you go to device->User identification->User Mapping then click the gear for Palo Alto Networks user-id agent setup, under the "server monitor account" there you'll fill out your account used for authentication as well as the "Domains DNS Name".
If you are not using the built in user-id agent, you can just go to the "server monitor" and "client probing" tabs and make sure everything is unchecked there.
09-12-2023 11:31 AM
We are running 10.2.3 both on Panorama and fw. So thats probably whats wrong. Only thing is that I cant add the config manually on the local fw. Says i need to override the template. And there isnt any gear icon to override... What vers. Panos is this fixed in?
/M
09-12-2023 11:34 AM
Im using built in, but perhaps ill try the agent now that I know of the bug mentioned above.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!