How to Use User Principle Name (UPN) with Certificate Authentication for Global Protect and Group-Mapping

• Client side certificates that utilize a User Principle Name (UPN) username in the Subject Alternative Name field
• Certificate profiles to allow for GlobalProtect authentication using certificates
• GlobalProtect portal and gateway configuration
• User-id group-mapping to match that UPN username to an AD group 
• Security Policy match based on username matching AD group mapped to a security policy rule
• UPN matches the AD group configured in the security policy rule
• Verifying and CLI commands

• PANGFW
• PANOS version is 8.1 and higher
• GlobalProtect
• User-ID

1. Client Side Certificate: Generate the certificates to be used for Global Protect authentication.  Where the actual username is in the User Principle Name (UPN) format, in this example we are using the UPN username: "user3@bear.com".  The Palo Alto Firewalls do not yet support generating a certificate with UPN names in the Subject Alternative Name (SAN) field of certificates, so a third party PKI infrastructure must be used.  The certificates in this document with UPN in and SAN field were generated using Ubuntu 16.x with Openssl installed.  The following shows the certificate with UPN in SAN field that will be used as User-id name.  This certificate would be installed on the client computer where the GP agent is installed:
   
    
2. Root CA Certificate:  This is the root CA certificate that issued the above client side certificate.  Import the root CA certificate into the firewall:
   
    
3. Certificate Profile:  Create a new certificate profile, give it a name and within the section named "CA Certificates" click Add and select the root CA certificate, and for the "Username Field" use the drop down and select "Subject Alt" and click the Principal Name radio button as seen below:
   
    
4. GlobalProtect Portal:  In the GlobalProtect portal in the "Authentication" tab, for the field named "Certificate Profile" drop down and select certificate profile created in step 3:
   
    
5. GlobalProtect Gateway:  In the GlobalProtect gateway in the "Authentication" tab, for the field named "Certificate Profile" drop down and select this same certificate profile created in step 3:
   
    
6. Security Policy:  Create a new security policy filling out all required fields and in the "User" tab map click Add for Source User and select the AD group for the UPN username as generated in step 1.  This example, step 1 we generated a certificate with a UPN username of "user3@bear.com" that is in the SAN field of the certificate installed on the client computer.  This UPN of "user3@bear.com" exists in the AD group "cn=vpn,ou=vpnou,dc=bear,dc=com".  User-id group-mapping configuration is required to be setup prior to being able to complete this step.  Please see the link at the bottom of this document on how to configure the User-id Group-Mapping feature:

7. User-id Group-Mapping:  Once User-id group-mapping is configured, navigate to the group mapping setting and within the "User and Group Attributes" Tab and configure "userPrincipalName" for the "Primary Username" field.  The default for "Primary Username" is "sAMAccountName", so this must be moved to "Alternative Username 1" field as seen in the following example:
   
    
8. Active Directory:  The Active Directory group that is mapped in the security policy in step 6 must include the UPN username "user3@bear.com" in the group being mapped.  Below shows the UPN user "user3@bear.com" is configured in Active Directory (AD) group "vpnou":
   
9. Testing:  From the client computer with the GP agent installed, connect to the GP portal/gateway and verify that the traffic logs on the firewall indicate the user "user3@bear.com" is displayed in the "Source User" column and is in the correct format of UPN.  Also, ensure that the correct security policy rule that the user should be matching with the AD group bear\vpn mapped to it is displayed in the "Rule" column.  In this case the security policy rule of  'Trust-to-Untrust-1-1' is the rule with the AD group mapped to it that should be listed.  Additionally, for this test we used a consistent ping to destination address '8.8.8.8' from the GP connected client computer which matched this rule.
   :
   
    
10. CLI:  To display the Primary Username UPN format (and Alt usernames) of the Source User in the CLI, use the following command in the firewall's CLI to display the UPN as well as any Alt User Names pulled in from the AD via LDAP:

admin@PA-VM> show user user-attributes user all
Primary: user3@bear.com   <<< Username that was extracted from Certificate on GP agent client Machine
Alt User Names:
1) bear\user3  <<< command output includes the Normalized version of the username as well

HOW TO CONFIGURE GROUP MAPPING SETTINGS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0

HOW TO CONFIGURE LDAP SERVER PROFILE
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGnCAK