Inconsistent User Name with Multiple Group Mapping Profiles
Resolution
Problem
This article discusses the behaviour of inconsistent "User Name" in group mapping when multiple group mapping profiles are configured on the firewall.
For example, there are two group mapping profiles configured, one for fetching the "sAMaccount" and the other for "userPrincipalName". It is observed that the "User Name" changes from "userPrincipalName" to "sAMaccount" and vice-versa.
The following section illustrates this behaviour with an example:
Group mapping profile to populate User Name with "sAMaccount"
Group mapping profile to populate User Name with "userPrincipalName"
Here a test user with following parameters is present on the Active directory
"userPrincipalName" : dennis.lee@lab333.local
"sAMaccount" : lab333\dlee
Initial mapping for the user shows the "userPrincipalName" being fetched
PA-VM-1> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
lab333\dennis.lee vsys1 cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local
Total: 1
* : Custom Group
An manual refresh of the group with sAMaccount overwrites the UPN with the sAMaccount
PA-VM-1> debug user-id refresh group-mapping group-mapping-name AD-10.129.80.115-sAMaccount
PA-VM-1> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
lab333\dlee vsys1 cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local
Total: 1
* : Custom Group
Solution
This behaviour is seen because the group mapping profile is fetching the users for the same group and the profile refreshing last overwrites the previous mapping.
If the requirement is to have a consistent User Name attribute for the user belonging to the group, it is advised to use a single group mapping profile.