1.

Create user with the following member of:

2. Open Palo Alto Networks User-ID Agent.
User Identification > Setup >Authentication
3. On the “User name for Active Directory” insert created user: “user logon name@domain”
Please see below image for reference.

4. Go to User Identification > Setup > Cache

User Identification Timeout (minutes) :180
5. Go to User Identification > Setup > Agent Service
User-ID Service TCP Port: 5007
If error below happens:

Go to:

Local Security Policy > Security Setting > Local Policies > User Rights Assignment

Search Log on as a Service and add created username

Then return to User-Id Agent. Save and Commit.

Return to User Id
 6. Go to device > Server Profiles > LDAP and Press ADD

Fill the Details:

Profile Name: (Depends on you)

Server list: (Name depends on you, LDAP Server: IP of Active Directory, Port is 389)

Server Setting: Type: Active Directory, Base DN: DC= clients AD, DC=com, Bind DN: created username

Fill Bind DN using

user@domain.com
 7. Go to Device > User Identification > User ID Agents

Press Add and fill the required

Name: (depends on you)

Add an Agent Using: Click Host and Port

Host: ( Ip address off Active Directory )

Port: 5007

8. Go to Device > User Identification > Group Mapping Setting the click ADD

9. Fill up the required blank:

10. Go to Device > User Identification > Group Mapping Setting > Group Include List

Add the Users per User Group: