Plugin Validation error during Commit after configuring Directory Sync Alternate User Name
3243
Created On 07/27/22 18:09 PM - Last Modified 09/20/24 02:30 AM
Symptom
- Alternate User name configured in Directory Sync Integration.
- plugin_cloud_services.log (less plugin-log plugin_cloud_services.log) displays the following error during the commit process.
>ERROR: [validation] Errors: User attribute onPremisesUserPrincipalName in Prisma Access Group Mapping is not available in Directory Sync.
Environment
- Panorama managed Prisma Access
- Directory Sync
Cause
Unsupported directory attribute.
Resolution
- Remove the attribute listed in the plugin_cloud_services.log . In this case it is "onPremisesUserPrincipalName".
- Not all attributes on AD are supported on Prisma Access. The following chart is the list of supported attributes.
| NAME | DIRECTORY ATTRIBUTE |
|---|---|
| Common-Name | cn |
| Country | co |
| Department | department |
| Distinguished Name | dn |
| Groups | memberOf |
| Last Login | lastLogon |
| LastLogonTime | lastLogonTimestamp |
| Location | l |
| MSDSAllowedDelegatedTo | msDS-AllowedToDelegateTo |
| MSDSAllowedToActOnBehalfOfOtherIdentity | msDS-AllowedToActOnBehalfOfOtherIdentity |
| MSDSSupportedEncryptionTypes | msDS-SupportedEncryptionTypes |
| Manager | manager |
| NETBIOS Name | nETBIOSName |
| Name | displayName |
| Object Class | objectClass |
| Primary Group ID | primaryGroupID |
| SAM Account Name | sAMAccountName |
| SID | objectSid |
| SID History | sIDHistory |
| Service Principal Name" | servicePrincipalName |
| Title | title |
| Unique Identifier | objectGUID |
| User Principal Name | userPrincipalName |
| UserAccountControl | userAccountControl |
| WhenChanged | whenChanged |
| WhenCreated | whenCreated |