07-12-2017 06:50 AM
I have been able to set up Kerberos for explict userid/password entry at the logon screen. Now I am trying to setup SSO.
I at least get to the Click the button to login as user@domain.local. Yet when I proceed, I get Not Authroized.
System log shows 'Authorization failed for user 'user@domain.local' vs the explict login that shows a login for 'user' w/o the domain.local appended.
I turned on debugging and authd.log shows
2017-07-12 08:35:39.494 -0400 Certificate validated for user 'user@DOMAIN.LOCAL'. From: 10.1.4.40.
2017-07-12 08:35:39.496 -0400 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_SUCCESS auth response for user 'user@DOMAIN.LOCAL' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6441520795817607314)
2017-07-12 08:35:39.527 -0400 debug: pan_auth_request_process(pan_auth_state_engine.c:3208): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 36, body length 32
2017-07-12 08:35:39.527 -0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1527): init'ing group request (authorization)
2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1368): start to authorize user "user@DOMAIN.LOCAL"
2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL
2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1477): Sent authorization response for user "user@DOMAIN.LOCAL":
role/domain="/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1
I tried all kinds of options for the admin user but some mapping seems to be wrong. Any idea where to look or for more debugging?
