Authentication profile selection in a authentication sequence when user belongs to multiple domains
1566
Created On 07/31/20 19:07 PM - Last Modified 07/07/25 20:44 PM
Symptom
- End user is part of multiple domains and use the same login credentials to login to the domains.
- For eg; user1 is part of domain1, domain 2 and domain 3.
Authentication sequence follows the order:
LDAP domain 1
LDAP domain 2
LDAP domain 3
- When user tries to login with just the user name (user1) to domain 2, the authentication is made against the first domain (domain1).
Environment
PAN OS 8.1
LDAP authentication used for GlobalProtect portal login.
Cause
As the user's login credentials used are same across domains, it matches with the first authentication profile in the sequence and authenticates the user.
Resolution
- Forcing the user directly to right authentication profile in a sequence is not supported with using the username alone for login.
- The user has to enter the desired domain name in the format 'domain\username' during the time of login so that firewall can match the domain name with the one specified in the authentication profile.