Authentication modifier doesn't truncate the domain information present in the %USERINPUT% when domain name field is present and login attribute is of type userPrincipalName

Authentication modifier doesn't truncate the domain information present in the %USERINPUT% when domain name field is present and login attribute is of type userPrincipalName

582
Created On 04/14/22 07:36 AM - Last Modified 10/27/25 16:43 PM


Symptom


  • In the authentication profile;
    • Login Attribute is specified as 'UserPrincipalName'
    • User Domain exists
    • User modifier is set to 'None' or '%USERINPUT%'
Screen Shot 2022-04-14 at 16.23.56.png
 
  • In the GlobalProtect log, the source user shows like 'test.local\user4@test.local'.Screen Shot 2022-04-14 at 16.31.38.png
 
  • Authentication for the user fails, and the traffic is dropped because it does not match any group-based policy.
 

Environment


  • NGFW or Prisma Access Firewalls
  • GlobalProtect
  • Authentication Profile
  • LDAP
     

Cause


  • This is by design and by the nature of UPN.  '@' is a valid sign for UPN, so it will not be normalized.
  • For example, 'user@domain.com' is considered UPN as a whole. In that case, the domain cannot be presented with '@' but has to be in '\' format. 

Resolution


  1. Use the samAccountName alternative to UserPrincipalName,
  2. The authentication will now succeed and match the group-based policy.
  3. En example of setting for authentication profile:
    • Login username: test.local\user1
    • Login Attribute: samAccountName
    • User Domain: test.local
    • Username Modifier: None
    • GlobalProtect log: test.local\user1
    • The user name sent to the LDAP server: user1
  4. If a feature request is required, Contact your account team and submit the same.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004O5xCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail