12-27-2022 05:10 PM - edited 12-27-2022 05:13 PM
We recently installed a new Domain Controller and can't get the Global Protect VPN client LDAP authentication to work. We have tried everything we can think of and would like to know if anyone else has had this issue and could assist with a solution.
DC01 - Primary DC which firewall and VPN currently authenticates to.
DC02 - Secondary DC which will work as standalone authentication server in testing.
DC03 - New DC which is not allowing authentication from Global Protect VPN client. After entering username and password the client just goes back to the password prompt like nothing happened.
Any assistance would be greatly appreciated.
Thanks
12-28-2022 10:48 AM
I would check the system log with filter (type eq auth), and also the authd log from the CLI (less mp-log authd.log) as a starting point.
12-28-2022 11:53 AM
Hi @AZCommerceAuthority ,
The CLI "test" command is great to troubleshoot authentication profiles. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/test-authentication-server... It normally gives the specific reason the authentication fails (bad password, cannot connect to server, etc.).
Thanks,
Tom
01-12-2023 01:09 PM
So I had some time to finally test this again and do some log file tracing.
Here is a taste of what I am seeing now when trying to authenticate to the new DC.
2023-01-12 13:05:39.470 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AD-vsys1
2023-01-12 13:05:39.470 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:606): recreate 0th LDAP session to remote server 10.0.2.17:636 after retry-interval (60 sec) has elapsed
2023-01-12 13:05:39.470 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:418): re-create ldap session (ip ; sourceAddr ; sourceAddr6 ; vsys shared)
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:917): useLDAPs: 1, startTLS: 0, b_ssl: 1
2023-01-12 13:05:39.470 -0700 ldap uri: ldaps://10.0.2.17:636
2023-01-12 13:05:39.470 -0700 Succeed to init LDAPp=0xff60001330 for entry 0
2023-01-12 13:05:39.470 -0700 b_ssl: Yes
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:634): binding with binddn CN=svc_paloalto,OU=Service Accounts,DC=ourdcname,DC=com
2023-01-12 13:05:39.473 -0700 Error: pan_authd_ldap_bind(pan_authd_shared_ldap.c:643): Failed to bind ldap (Can't contact LDAP server)
2023-01-12 13:05:39.473 -0700 Error: pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2002): Failed to bind, get out
2023-01-12 13:05:39.474 -0700 Error: _recreate_a_ldap_session(pan_auth_service_handle.c:538): failed to re-create 0th LDAP session for server: 10.0.2.17:636
2023-01-12 13:05:39.474 -0700 LDAP auth server 10.0.2.17 is down !!!
On the new DC I have disabled the OS Firewall and tried to connect and it still fails so I know there is not some FW rule allowing port 636 to pass through.
Any ideas on what my issue is? I have tested LDAP on the new server using the service account user and it works perfectly.
01-12-2023 02:21 PM
Where are you connecting to the DC from? I.e. is the LDAP service running from the management port (default) or have you configured it on the dataplane? (Device->Setup->Services->Service Route Configuration). I am assuming that 10.0.2.17 is NOT an IP on the PA itself that is being NAT'd to another network, correct?
It looks like the PA can't even reach the DC server. If using LDAP from the management port (the default), does the management network have a route to 10.0.2.x? Does the DC have a firewall restricting access to certain source IPs? Can you ping all of the DCs from the management interface (PA> ping source [mgmt_ip] host 10.0.2.17)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!