@mgarg Thanks for that. Below is the authd.log for user 'angusg'. 2017-11-10 21:30:29.084 +1000 debug: _get_profile_domain(pan_auth_sysd.c:890): auth prof "test-ldap-globalprotect" on vsys "vsys1" does NOT have domain 2017-11-10 21:30:29.084 +1000 Error: authd_sysd_profile_domain_callback(pan_auth_sysd.c:936): find domain for auth profile: test-ldap-globalprotect; vsys vsys1 2017-11-10 21:30:29.086 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3306): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 24, body length 2128 2017-11-10 21:30:29.087 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2362): Trying to authenticate (init auth): <profile: "test-ldap-globalprotect", vsys: "vsys1", policy: "", username "angusg"> ; timeout setting: 25 secs ; authd id: 6486741776332750875 2017-11-10 21:30:29.087 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1057): non-admin user thru Global Protect "angusg" ; auth profile "test-ldap-globalprotect" ; vsys "vsys1" 2017-11-10 21:30:29.087 +1000 debug: _get_authseq_profile(pan_auth_util.c:856): Auth profile/vsys (test-ldap-globalprotect/vsys1) is NOT auth sequence 2017-11-10 21:30:29.087 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for test-ldap-globalprotect-vsys1-mfa 2017-11-10 21:30:29.087 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1020): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: test-ldap-globalprotect/vsys1) 2017-11-10 21:30:29.087 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:185): This is a single vsys platform, group check for allow list is performed on "vsys1" 2017-11-10 21:30:29.087 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:310): user "angusg" is NOT in allow list of auth prof/vsys "test-ldap-globalprotect/vsys1" (vsys in request "vsys1") 2017-11-10 21:30:29.087 +1000 failed authentication for user 'angusg'. Reason: User is not in allowlist. auth profile 'test-ldap-globalprotect', vsys 'vsys1', From: 122.104.158.11. 2017-11-10 21:30:29.087 +1000 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_FAILURE auth response for user 'angusg' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6486741776332750875) 2017-11-10 21:30:34.963 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "test-ldap-globalprotect", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or i nvalid keytab) 2017-11-10 21:30:35.004 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:911): profiledomain triggered via sysd 2017-11-10 21:30:35.004 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:931): get domain for vsys1/test-ldap-globalprotect 2017-11-10 21:30:35.004 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "test-ldap-globalprotect", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or i nvalid keytab) 2017-11-10 21:30:35.004 +1000 debug: _get_profile_domain(pan_auth_sysd.c:890): auth prof "test-ldap-globalprotect" on vsys "vsys1" does NOT have domain 2017-11-10 21:30:35.004 +1000 Error: authd_sysd_profile_domain_callback(pan_auth_sysd.c:936): find domain for auth profile: test-ldap-globalprotect; vsys vsys1 2017-11-10 21:30:35.006 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3306): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 27, body length 2128 2017-11-10 21:30:35.006 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2362): Trying to authenticate (init auth): <profile: "test-ldap-globalprotect", vsys: "vsys1", policy: "", username "angusg"> ; timeout setting: 25 secs ; authd id: 6486741776332750878
... View more