Here’s a quick note for anyone looking to understand how they can allow either the standard samAccountName (username) or the userPrincipalName (usually the email address) to be used by users when logging into the GlobalProtect VPN client when authenticating against Windows Active Directory via LDAP.
I will assume that you already have basic username authentication working. So this post will outline how you can add the ability for users to use the userPrincipalName as opposed to their samAccountName (username).
Step 1. Assuming you already have an Authentication Profile setup to authenticate usernames (samAccoutName) you’ll need to clone that profile and then update the Login Attribute to “userPrincipalName”.
Step 2. Create an Authentication Sequence that includes both your Authentication Profiles, the original profile along with the profile you created in the step above. In the example below I’m using “auth_ldap”.
Step 3. Update your GlobalProtect Portal Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Portals, edit your configuration and update the authentication profile to “auth_ldap”.
Step 4. Update your GlobalProtect Gateway Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Gateways, edit your configuration and update authentication profile to “auth_ldap”.
Step 5. Commit your changes.
With that all done you can now test, using either your samAccountName (username) or your userPrincipalName (usually the email address of the user).
It works like a charm.