How to configure Active Directory Authentication for GlobalProtect users to login with domain\username and just username format
80861
Created On 05/21/20 02:34 AM - Last Modified 01/03/24 18:03 PM
Objective
- Configure GlobalProtect to use Active Directory Authentication profile.
- Allow users from a specific User Group to login using the Allow List in the Authentication profile.
- The end user should be able to login by entering "domain\username" or just "username" in the GP login prompt.
- sAMAccountName is used as the Login Attribute.
Environment
- Palo Alto Firewall
- PAN-OS 8.1 and above.
- Using Active Directory Authentication.
- GlobalProtect Configured.
Procedure
- Setup LDAP Authentication. Refer to: Set Up LDAP Authentication.
- In the Authentication Profile, set the "User Domain" to your Active Directory domain. For example "domain".
- Set the "Username Modifier" to "None". It has to be manually typed in as it is not available in the Dropdown.
- Now, users should be able to login successfully to GlobalProtect using domain\username and just username.
Additional Information
- When the user tries to login with domain\username, it will be matched against the allow list configured with a specific group in the Authentication Profile.
- When the user tries to login with just username, the FW will match the configured "User Domain"\username against the members of the user group in the allow list.
- When submitting the username for authentication, the FW will strip the domain and send only the username to the Active Directory Server for authentication.
- This is because the "Username Modifier" has been set to "None".