Having a headache of an issue lately and I believe it to be an issue on the customer environment rather than a setting configuration on the firewall, or software issue in PAN-OS e.g.
I've little experience with enterprise active directory so I learn as I go.
At the moment, customer has been using the Domain DNS for User Domain settings on Authentication Profiles and Group Mappings.
I plan to change this and make sure to use the NetBIOS in place of the domain DNS for User Domain settings in Authentication Profiles and Group Mapping settings.
Global Protect 5.1.3
Windows Server: Not Sure
In the customers environment, certain subnets, be it wired or wireless, the ip-user-mapping are picked up as sometimes lan.corp.com/user or corp/user.
Therefore, an ip-user-mapping of lan.corp.com/user isn't recognized as being part of the AD group corp/webaccess and security rule is never hit.
Same user will then remove the wired connection, will be picked up on a different ip-address via Wifi but is now seen on the firewall as corp/user, is seen inside AD group corp/webaccess and hits the rule, gaining web access.
Again issue happens when users try to authenticate from home via Global Protect.
Verifying with command [ > tail follow yes mp-log authd ] users authentication will fail because lan.corp.com/user is not inside AD group globalprotect .... user will try again and again until eventually they are picked up as corp/user.
I've searched almost all of LiveCommunity, Fuel User Group and Support Portal Knowledgebase to see if this has come up before.
Most articles state the requirement of using NetBIOS in place of Domain DNS but nothing stating what steps the customer should do to verify domain mapping and AD is correct.