Multiple PANOS email alerts stating user authentication failed for various users

Multiple PANOS email alerts stating user authentication failed for various users

4293
Created On 03/16/23 00:18 AM - Last Modified 07/16/25 21:10 PM


Symptom


 Users receiving multiple alerts from the PANW firewall stating "user failed authentication for user 'xxxx'. User has logged successfully but alert says user account is locked."

Environment


  •  Any Palo Alto Networks (PANW) firewall
  •  Email alerts configured for failed authentication attempts
  •  GlobalProtect (GP) using Pre-Logon (Always On) connect method and Single Sign On (SSO)

Cause


  •  The username entered during host login was different than the username used for GP.
  •  Since SSO is configured, the first username entered would fail authentication to the Portal/Gateway as it doesn't match what's configured in the authentication profile.

Resolution


  1. To resolve the issue, Disable SSO while using the Always On connect method if the username differs from what GP expects
  2. Note that SSO is enabled by default for Windows hosts beginning in PAN-OS 10.1. Refer to GlobalProtect User Authentication

Additional Information


 GlobalProtect User Authentication
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHN5CAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language