Auth Server - AD problems - PLEASE HELP! I'M DOWN!


  • Engineer

    Hi,

    i am not sure this is the compleet fix!

    because they told me it will be fixed in 6.0r3.1 (so ask them)

    GreetZ,
    Frac



  • Time to bump this baby….

    Looking at the release notes for V6.0R3 I see the following…

    AAA - This release fixes an Active Directory based authentication issue that some customers have faced on upgrading to 6.0R1 and 6.0R2 from earlier releases. This issue affected those customers whose NetBIOS domain names were different than their DNS domain names. (52382)

    Could this be the fix for this problem? I’ve contacted JTAC and trying to book the downtime for our IVE ASAP to try this.

    Balders



  • 😞
    FYI I’m still unable to upgrade. We do not want to rewrite our rule set. Are still waiting for JTAC who are still working on it. And giving us updates.

    Trying to get a demo got from distributer or Juniper so we can bench the problem easier in the environment.



  • OK, ladies and gentlemen, I FIXED IT! With the help of THIS holy thread!
    This problem really mady me SICK in my empty brain!

    No it works fine - i can authorize users from ALL domains who have trust relation to our domain.

    I will write the next days an “extra” big thread with detailed howto, so that others save time and nerves.

    With this OPTIMAL solution for AD-Authentication and Autorization, i DONT need any LDAP Server, i DONT need any Radiusserver.

    ALL i need is an Active Directory Authentication Server configured on the IVE and WINBIND. WINBIND is the key to true happyness with IVE and Active Directory!

    My mistakes have been:

    • on AD Auth.Server i confiured Admin Credentials as domain\adminuser , but i had only to use adminuser (without any prefix!)

    • in the server catalog, when choosing the AD-Groups where my vpn users are membersof, i had not to search them via LDAP - i only had to use the LDAP Name, and not the DOMAIN Name. What is the difference? Well - domain can have ANY name. But the LDAP Name is the first part of the domain DN, so if your domain is superb.company.com, then superb is the ldap name.
      So, on groups i had to configure on server catalog in IVE, i had to use ldapname/groupname, and NOT domain\groupname or domain/groupname.

    Now everything is PERFECT, and this is really the preferred way to use AD with your IVE.

    Detailed HowTo will follow!



  • When i enter domain\adminname, the authentication does not fail, but - as seen in policy trace - WINBIND failes, because the IVE cannot join the domain.



  • @spacyfreak:

    On AD Authentication Server, my mistake was that i gave at Admin Login domain\domainadmin. But it did not work, as long i gave the prefix domain. It only worked WIThOUT the prefix! Strange world!

    So in the Admin Username: field you give the username without the domain\ part and it works?
    Hmmm that’s what we have done. What happens when you put domain\adminusername? Does the authentication fail?



  • On AD Authentication Server, my mistake was that i gave at Admin Login domain\domainadmin. But it did not work, as long i gave the prefix domain. It only worked WIThOUT the prefix! Strange world!



  • Just to say we are up to the next line of JTAC…

    We are on 5.5R1 they have tsted it with 5.5R3 and it works. could it be the versions. Anyone else here having this problem on 5.5R1?

    Balders



  • Try to use in AD Authentication Server configuration

    Filter memberOf

    and not

    Filter member

    That worked in my case. I had the same problem that no roles were assigned when using filter member.



  • Hi,

    You say nested groups, but thats not exactly the same problem we had but they may be related anyway. Today I had yet another AD auth problem (in another environment) with 5.5R3 which not happend in 5.3R10 which i just upgraded from….



  • Just wanted to put in a “Me To” to this forum whereby nested groups in AD are not resolved in 6.0r1 (worked just fine in 5). Also have a support ticket open with Juniper on this, have uploaded traces, kitchen sink etc but I think they are comming for my first born soon.  Just for reference the case number is Case #2007-0903-0207



  • I can’t read it with one of my accounts but with the other, anyway the kb-article is posted earlier in the thread as Reply #12 on: 2007-09-12, 21:40:53

    br / ahd71



  • @ahd71:

    I was able to use the workaround from KB9005.

    Strange I’m not authorised to read that article though I can read other IVE based articles….



  • Hi everybody,

    I was able to use the workaround from KB9005.

    Basically just changed the group name from NETBIOSNAME/GroupName to LDAPname/GroupName where LDAPname is the first part of the FQDN for the AD domain.

    I have informed JTAC about the problem and workaround.

    Thanks everybody for contributing to the workaround (and hopefully to the solution)

    br /ahd71



  • @Frac:

    is at the AD server settings:

    Kerberos Realm Name
    Specify the method to use to get Kerberos Realm Name for AD servers.

    => choose => Use LDAP to get Kerberos realm name

    Then everything worked.

    For me this is already how it is set. The problem for me is that it works perfectly pre 6.0R1 but stops working as soon as we upgrade to 6.0R1.

    Balders


  • Engineer

    hi,

    i saw that once to, i think the problem was that my domain was wrong! (like KB article was saying)

    i had “company.local” and it needed to be just "company"
    other thing i saw that could give problems (but not sure it was this error):

    is at the AD server settings:

    Kerberos Realm Name
    Specify the method to use to get Kerberos Realm Name for AD servers.

    => choose => Use LDAP to get Kerberos realm name

    Then everything worked.

    GreetZ,
    Frac



  • http://img516.imageshack.us/img516/6906/ldapconfigive54r3oi4.png

    I do it with AD for authentication, and additional LDAP Server for Authorization. And it works fine.



  • PM sent…



  • Thanks Baldrick,

    We also have a newly opened ticket with JTAC, but i’m still trying to upload our kitchen zink 😉

    May I ask for your case number to refer to it in our case as it seems that we have exactly the same problem? You can PM me if you don’t want to go public, and of course only if you want to share it.

    BR / ahd71



  • What happens is that V6.0R1 code does not seem to gather the user groups fully via winbind.

    [To see this do a policy trace on the user]

    V5.5R1
    It gets the groups in the old NT style…

    Domain01/UserGroup1
    Domain01/UserGroup2
    Domain01/UserGroup3

    & in the newer AD style…
    domain/usergroup1
    domain/usergroup2
    domain/usergroup3

    In V6.0R1 it only seems to gather the primary group via the old NT style…

    Domain01/UserGroup1

    & in the newer AD style…
    domain/usergroup1
    domain/usergroup2
    domain/usergroup3

    So if you have role mapping that is based upon membership of usergroup2 & 3 it will not work and error with “No roles found”.

    However within the SA you can still access the groups in the Domain01/UserGroup1 style when you browse for them creating your role mapping rules.

    JTAC now have our Snapshot, TCPdump, Logs files, kitchen sink etc.

    Will let you know when I get an answer.

    Balders…


 

49
Online

38.4k
Users

12.7k
Topics

44.5k
Posts