How to configure Active Directory Authentication for GlobalProtect users to login with domain\username and just username format

How to configure Active Directory Authentication for GlobalProtect users to login with domain\username and just username format

31284
Created On 05/21/20 02:34 AM - Last Modified 06/02/20 22:54 PM


Objective
  • Configure GlobalProtect to use Active Directory Authentication profile.
  • Allow users from a specific User Group to login using the Allow List in the Authentication profile.
  • The end user should be able to login by entering "domain\username" or just "username" in the GP login prompt.
  • sAMAccountName is used as the Login Attribute.


Environment
  • Palo Alto Firewall
  • PAN-OS 8.1 and above.
  • Using Active Directory Authentication.
  • GlobalProtect Configured.


Procedure
  1. Setup LDAP Authentication. Refer to Setting up LDAP Authentication.
  2. In the Authentication Profile, set the "User Domain" to your Active Directory domain. For example "domain".
  3. Set the "Username Modifier" to "None". It has to be manually typed in as it is not available in the Dropdown.
  4. Now, users should be able to login successfully to GlobalProtect using domain\username and just username.


Additional Information
  • When the user tries to login with domain\username, it will be matched against the allow list configured with a specific group in the Authentication Profile.
  • When the user tries to login with just username, the FW will match the configured "User Domain"\username against the members of the user group in the allow list.
  • When submitting the username for authentication, the FW will strip the domain and send only the username to the Active Directory Server for authentication.
  • This is because the "Username Modifier" has been set to "None".


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g0000008U8e&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments