Juniper v5.3 Upgrade Questions (Active Directory)



  • I posted the following message, prior to the forum experiencing problems. Unfortunately, the message was lost and I am, therefore, reposting. Also, at the time of the original post, 5.3 was not GA. Since it is now available, is anyone running 5.3? Any comments on Active Directory Authentication? Any other issues you encountered when upgrading that you’d care to comment on?

    Thanks!

    ORIGINAL POST:

    We are currently running a NetScreen SA-3000 Juniper SSL VPN appliance at software version 4.1.1-S1 and have tried on multiple occasions to upgrade to version 5.0R1. Unfortunately, after each upgrade attempt, we’ve been forced to roll back to 4.1.1 due to persistent Active Directory user authentication issues. On our current software version (4.1.1), the Primary and Secondary Domain Controllers (AD) are properly configured on the appliance using IP addresses and our domain name is specified. In “Additional Options”, the radio button for “Specify Kerberos realm name” is selected and the field is blank. The IVE administrator account has domain administrator privileges and our AD servers are running in native mode. Using this configuration, users encounter an account lockout after only two failed access attempts, even though the AD policy is configured to lockout on the third failed attempt. This is less than desirable, but tolerable.

    After upgrading to v5.0R1, the authentication options change and so does user authentication behavior. We have tried the following configurations with the results listed below:

    Configuration: Kerberos only / Use LDAP to get Kerberos realm name

    • First Failed Logon Attempt (Works as expected): “Invalid username or password. Please re-enter your user information.”
    • Second Failed Logon Attempt (Account Locks): “Invalid username or password. Please re-enter your user information.”
    • Third Failed Logon Attempt (No “Account Locked” Notice Given): “Invalid username or password. Please re-enter your user information.”
    • Force pwd Change (Fails): “Invalid username or password. Please re-enter your user information.”

    Configuration: Try Kerberos, fall back to NTLM v2 / Use LDAP to get Kerberos

    • First Failed Logon Attempt (Account Locks): “Invalid username or password. Please re-enter your user information.”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Configuration: Try Kerberos, fall back to NTLM v2 or NTLM v1 / Use LDAP to get

    • First Failed Logon Attempt (Account Locks): “Invalid username or password. Please re-enter your user information.”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    After opening a case with Technical Support and going back and forth with log files and traces, the case was escalated and I was immediately told that this is a known issue that is resolved in v5.3. My understanding is that 5.3 beta testing has end and the version is scheduled for release sometime around March 2006.

    Q1: Has anyone else seen this user authentication behavior on their appliance?
    Q2: If someone reading this was part of the 5.3 beta test, did you experienced any AD authentication issues with this new version?

    REFERENCE:

    AD AUTHENTICATION OPTIONS v4.1.1-S1

    SERVER:
    Name: Domain Controller
    PDC or AD: nnn.nnn.nnn.nnn
    Backup PDC or AD: nnn.nnn.nnn.nnn
    Domain: xxxx.com


    ADMINISTRATOR:
    Admin Username: IVEAccount
    Admin Password: ********

    ADDITIONAL OPTIONS:
    ( ) Use LDAP to get Kerberos realm name
    (*) Specify Kerberos realm name: Blank

    AD AUTHENTICATION OPTIONS v5.0R1

    SERVER:
    Name: Domain Controller
    PDC or AD: nnn.nnn.nnn.nnn
    Backup PDC or AD: nnn.nnn.nnn.nnn
    Domain: xxxx.com


    ADMINISTRATOR:
    Admin Username: IVEAccount
    Admin Password: ********

    ADDITIONAL OPTIONS:
    Authentication protocol:
    (*) Kerberos only (most secure)
    ( ) Try Kerberos, fall back to NTLM v2 (moderately secure)
    ( ) Try Kerberos, fall back to NTLM v2 or NTLM v1 (less secure)

    Kerberos Realm Name
    ( ) Use LDAP to get Kerberos realm name
    (*) Specify Kerberos realm name: Blank

    AD AUTHENTICATION OPTIONS v5.0R1

    ???

    If anyone could provide information on how the authentication options in v5.3 look, I’d greatly appreciate it!

    Thanks!

    OTHER INFORMATION:

    Active Directory Authentication Protocol Selection
    Juniper’s Active Directory authentication server implementation supports three authentication protocols: Kerberos, NTLMv1 and NTMLv2. This enhancement allows the administrator to independently configure whether each protocol will be used or ignored.

    Customer Benefits
    Improves usability by avoiding authentication attempts through protocols that are not supported by the customer’s AD implementation. Attempts using unsupported protocols count against the failed login count policy in AD.

    Document: What’s New in IVE v5.3



  • UPDATE:

    We’ve upgraded our test appliance to v5.3R1 (Build 10197). Authentication protocols are now specified by checkboxes and Kerberos is still configured by radio buttons. The “Computer Name” of the IVE appliance, as it appears in Active Directory, is also now listed, which is nice. I’ve also found configurations that authenticate users properly, lock out accounts on the third failed attempt, and perform forced password changes properly. It’s nearly perfect. The only down side is that, regardless of the configuration, I have not been able to get the “Your account has been locked out” notification to display on the third failed attempt. However, it will appear on the fourth attempt, even though the account is locked out on the third. (See test results in blue)

    REFERENCE:

    Authentication: Auth. Servers / (Active Directory / Windows NT Authentication Server)

    AD AUTHENTICATION OPTIONS v5.3R1

    Server
    Name: Active Directory / Windows NT Authentication Server
    Primary Domain Controller or Active Directory: nnn.nnn.nnn.nnn
    Backup Domain Controller or Active Directory: nnn.nnn.nnn.nnn
    Domain: xxxxxx.COM
    Computer Name: vc0000_(8 digit hex)_


    Administrator
    Admin Username: IVEAccount
    Admin Password: ********

    Additional Options
    Authentication protocol
    Specify the protocol to use during authentication.



    Kerberos Realm Name
    Specify the method to use to get Kerberos Realm Name for AD servers
    (*) Use LDAP to get Kerberos realm name
    ( ) Specify Kerberos realm name: Blank

    TEST RESULTS:

    USE LDAP TO GET KERBEROS REALM NAME
    Kerberos/NTLM2/NTLM1 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos/NTLM2 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First Failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempt (Account Locks): “Invalid username or password. Please re-enter your user information.”
    • Third Failed Logon Attempt (No “Account Locked” Notice Given): “Invalid username or password. Please re-enter your user information.”
    • Force pwd Change (Fails): “Invalid username or password. Please re-enter your user information.”

    NTLM2 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    NTLM1 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos/NTLM1 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    NTLM1/NTLM2 & LDAP

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    SPECIFY KERBEROS REALM NAME

    Kerberos/NTLM2/NTLM1 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos/NTLM2 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempt (No “Account Locked” Notice Given): “Invalid username or password. Please re-enter your user information.”
    • Force pwd Change (Fails): “Invalid username or password. Please re-enter your user information.”

    NTLM2 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    NTLM1 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    Kerberos/NTLM1 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • First failed attempt locks account, but second attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    NTLM1/NTLM2 & Specify Kerberos realm name: Blank

    • User authenticates when correct pwd is entered
    • First Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Second Failed Logon Attempted: “Invalid username or password. Please re-enter your user information”
    • Third Failed Logon Attempted (Account Locks): “Invalid username or password. Please re-enter your user information”
    • Third Failed attempt locks account, but fourth attempt indicates: “Your account has been locked out.”
    • Force pwd Change (Works Okay): “Your password must be changed. You must create a new password to continue.”

    END OF TESTING


 

52
Online

38.4k
Users

12.7k
Topics

44.5k
Posts