This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Global Protect VPN Client not authenticating to 2012 R2 Domain Controller

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect VPN Client not authenticating to 2012 R2 Domain Controller

AZCommerceAuthority
L1 Bithead

‎12-27-2022 05:10 PM - edited ‎12-27-2022 05:13 PM

We recently installed a new Domain Controller and can't get the Global Protect VPN client LDAP authentication to work. We have tried everything we can think of and would like to know if anyone else has had this issue and could assist with a solution.

 

DC01 - Primary DC which firewall and VPN currently authenticates to.

DC02 - Secondary DC which will work as standalone authentication server in testing.

DC03 - New DC which is not allowing authentication from Global Protect VPN client. After entering username and password the client just goes back to the password prompt like nothing happened. 

 

Any assistance would be greatly appreciated.

 

Thanks

0 Likes Likes
7 REPLIES 7

dmifsud
L3 Networker

‎12-28-2022 10:48 AM

I would check the system log with filter (type eq auth), and also the authd log from the CLI (less mp-log authd.log) as a starting point.

 

 

Sr. Technical Support Engineer, Strata
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎12-28-2022 11:53 AM

Hi @AZCommerceAuthority ,

 

The CLI "test" command is great to troubleshoot authentication profiles.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/test-authentication-server...  It normally gives the specific reason the authentication fails (bad password, cannot connect to server, etc.).

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

AZCommerceAuthority
L1 Bithead
In response to TomYoung

‎01-12-2023 01:09 PM

So I had some time to finally test this again and do some log file tracing.

 

Here is a taste of what I am seeing now when trying to authenticate to the new DC. 

 

2023-01-12 13:05:39.470 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AD-vsys1
2023-01-12 13:05:39.470 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:606): recreate 0th LDAP session to remote server 10.0.2.17:636 after retry-interval (60 sec) has elapsed
2023-01-12 13:05:39.470 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:418): re-create ldap session (ip ; sourceAddr ; sourceAddr6 ; vsys shared)
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:917): useLDAPs: 1, startTLS: 0, b_ssl: 1
2023-01-12 13:05:39.470 -0700 ldap uri: ldaps://10.0.2.17:636
2023-01-12 13:05:39.470 -0700 Succeed to init LDAPp=0xff60001330 for entry 0
2023-01-12 13:05:39.470 -0700 b_ssl: Yes
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:634): binding with binddn CN=svc_paloalto,OU=Service Accounts,DC=ourdcname,DC=com
2023-01-12 13:05:39.473 -0700 Error: pan_authd_ldap_bind(pan_authd_shared_ldap.c:643): Failed to bind ldap (Can't contact LDAP server)
2023-01-12 13:05:39.473 -0700 Error: pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2002): Failed to bind, get out
2023-01-12 13:05:39.474 -0700 Error: _recreate_a_ldap_session(pan_auth_service_handle.c:538): failed to re-create 0th LDAP session for server: 10.0.2.17:636
2023-01-12 13:05:39.474 -0700 LDAP auth server 10.0.2.17 is down !!!

 

On the new DC I have disabled the OS Firewall and tried to connect and it still fails so I know there is not some FW rule allowing port 636 to pass through.

 

Any ideas on what my issue is? I have tested LDAP on the new server using the service account user and it works perfectly.

 

 

0 Likes Likes

Adrian_Jensen
L5 Sessionator

‎01-12-2023 02:21 PM

Where are you connecting to the DC from? I.e. is the LDAP service running from the management port (default) or have you configured it on the dataplane? (Device->Setup->Services->Service Route Configuration). I am assuming that 10.0.2.17 is NOT an IP on the PA itself that is being NAT'd to another network, correct?

 

It looks like the PA can't even reach the DC server. If using LDAP from the management port (the default), does the management network have a route to 10.0.2.x? Does the DC have a firewall restricting access to certain source IPs? Can you ping all of the DCs from the management interface  (PA> ping source [mgmt_ip] host 10.0.2.17)?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks