Well if I set the authentication profile to "all users" it works just fine. Enter password : Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "domain.lan\steven.williams.da" is in group "all" Authentication to LDAP server at 10.100.21.210 for user "steven.williams.da" Egress: 10.100.20.20 Type of authentication: GSSAPI Starting LDAPS connection... Succeeded to create a session with LDAP server DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=domain,DC=domain,DC=lan User expires in days: never Authentication succeeded for user "steven.williams.da" admin@PA500-01> So the Bind account is working, its just not working for a specific user group. admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan short name: domain\paloaltoadmins source type: ldap source: Domain_Users_and_Groups [1 ] domain\steven.williams.da admin@PA500-01> sees the user but can never auth with it. And yes I have created a user account in the local admins to match this.
... View more