Global Protect VPN Client not authenticating to 2012 R2 Domain Controller

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect VPN Client not authenticating to 2012 R2 Domain Controller

We recently installed a new Domain Controller and can't get the Global Protect VPN client LDAP authentication to work. We have tried everything we can think of and would like to know if anyone else has had this issue and could assist with a solution.

 

DC01 - Primary DC which firewall and VPN currently authenticates to.

DC02 - Secondary DC which will work as standalone authentication server in testing.

DC03 - New DC which is not allowing authentication from Global Protect VPN client. After entering username and password the client just goes back to the password prompt like nothing happened. 

 

Any assistance would be greatly appreciated.

 

Thanks

7 REPLIES 7

L3 Networker

I would check the system log with filter (type eq auth), and also the authd log from the CLI (less mp-log authd.log) as a starting point.

 

 

Sr. Technical Support Engineer, Strata

Cyber Elite
Cyber Elite

Hi @AZCommerceAuthority ,

 

The CLI "test" command is great to troubleshoot authentication profiles.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/test-authentication-server...  It normally gives the specific reason the authentication fails (bad password, cannot connect to server, etc.).

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

So I had some time to finally test this again and do some log file tracing.

 

Here is a taste of what I am seeing now when trying to authenticate to the new DC. 

 

2023-01-12 13:05:39.470 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AD-vsys1
2023-01-12 13:05:39.470 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:606): recreate 0th LDAP session to remote server 10.0.2.17:636 after retry-interval (60 sec) has elapsed
2023-01-12 13:05:39.470 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:418): re-create ldap session (ip ; sourceAddr ; sourceAddr6 ; vsys shared)
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:917): useLDAPs: 1, startTLS: 0, b_ssl: 1
2023-01-12 13:05:39.470 -0700 ldap uri: ldaps://10.0.2.17:636
2023-01-12 13:05:39.470 -0700 Succeed to init LDAPp=0xff60001330 for entry 0
2023-01-12 13:05:39.470 -0700 b_ssl: Yes
2023-01-12 13:05:39.470 -0700 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:634): binding with binddn CN=svc_paloalto,OU=Service Accounts,DC=ourdcname,DC=com
2023-01-12 13:05:39.473 -0700 Error: pan_authd_ldap_bind(pan_authd_shared_ldap.c:643): Failed to bind ldap (Can't contact LDAP server)
2023-01-12 13:05:39.473 -0700 Error: pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2002): Failed to bind, get out
2023-01-12 13:05:39.474 -0700 Error: _recreate_a_ldap_session(pan_auth_service_handle.c:538): failed to re-create 0th LDAP session for server: 10.0.2.17:636
2023-01-12 13:05:39.474 -0700 LDAP auth server 10.0.2.17 is down !!!

 

On the new DC I have disabled the OS Firewall and tried to connect and it still fails so I know there is not some FW rule allowing port 636 to pass through.

 

Any ideas on what my issue is? I have tested LDAP on the new server using the service account user and it works perfectly.

 

 

L5 Sessionator

Where are you connecting to the DC from? I.e. is the LDAP service running from the management port (default) or have you configured it on the dataplane? (Device->Setup->Services->Service Route Configuration). I am assuming that 10.0.2.17 is NOT an IP on the PA itself that is being NAT'd to another network, correct?

 

It looks like the PA can't even reach the DC server. If using LDAP from the management port (the default), does the management network have a route to 10.0.2.x? Does the DC have a firewall restricting access to certain source IPs? Can you ping all of the DCs from the management interface  (PA> ping source [mgmt_ip] host 10.0.2.17)?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!