Users not matching portal agent configs when configured with "user name" as a selection criteria

• Users do not match portal agent configs, which are configured with "user name" as a selection criteria when multiple group mappings are present.
• gpsvc debug level logs show that user is being assigned with the empty domain and not matching a client config with user selection criteria as user name:

{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.87495612-08:00","message":"setUserDomainFinal: set domain=(empty_domain) from EMPTYDOMAIN"}
{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.8749804-08:00","message":"setUserDomainFinal: done user=xyz@domain.com domain=(empty_domain)"}
{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.875013696-08:00","message":"PAN_AUTH_SUCCESS"}
{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.875072494-08:00","message":"GetPortalConfig: args: &{ServerAddr:1.1.1.2 User:xyz@domain.com Domain:(empty_domain) ClientOs:Windows SerialNo:xxxxxxx PeerSerialNo: SkipCc:false DomainInAuthProf: DomainInCertProf: CscSupport:true CscData: NeedSatConfig:false NeedClientlessConfig:false}"}
{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.875092072-08:00","message":"GetPortalConfig: TenantId: xxxxxx, SuperTenantId: xxxxxxx"}
{"level":"warn","task":"177689-5","time":"2023-12-12T01:56:09.875148703-08:00","message":"GetPortalConfig: domain list []"}

• Prisma Access
• Group Mapping

• Check If override domain is set for all of the group-mapping entries.
• Same groups can be fetched from different group-mapping entries. This is redundant and will create issues if there are override domains.
• By default, User Domain is blank: the firewall automatically detects the domain names for Active Directory servers. If you enter a value, it overrides any domain names that the firewall retrieves from the LDAP source.

1. Clear override domain from all of the group-mapping entries.
2. This field affects only the usernames and group names retrieved from the LDAP source.
3. To override the domain associated with a username for user authentication, configure the User Domain and Username Modifier in the authentication profile assigned to the user (Device > Authentication Profile)