cancel
Showing results for 
Search instead for 
Did you mean: 

AD Authentication Problem?

aeroplane_
Regular Contributor

AD Authentication Problem?

Hi,

I want to use AD for authentication of SSL VPN users. I wanna ask few questions:

1- Is this necessary to give computer name for SSL VPN? May we have to create this computer name as account on AD?

2- Is this necessary to give admin name and password? what is the purpose of this?

3- What authentication type I have to select? kerboras, NTLM?

Thanks

3 REPLIES 3
Tessian_
Frequent Contributor

Re: AD Authentication Problem?

1- Is this necessary to give computer name for SSL VPN? May we have to create this computer name as account on AD? -- You do not have to create it yourself, just tell it what OU you want it put in and what name you want and the VPN will create itself automatically. I know this is required if you are going to give access based on group memberships in AD... and I don't believe it's optional anyway.

2- Is this necessary to give admin name and password? what is the purpose of this?

Yes, although I'd recommend creating a service account with admin rights just for the Juniper. It's probably at least needed for creating itself on AD as mentioned above.

3- What authentication type I have to select? kerboras, NTLM?

Whatever it's set to by default always worked for me. If it differs that'd be based on your AD requirements.

If you are looking for anything more specific I'd recommend talking to your Juniper SE or opening a ticket with Juniper.

stine_
Super Contributor

Re: AD Authentication Problem?

There are a couple of KB articles which detail the exact windows user attributes that the SA user must have in order to function. That being said, I have never successfully made it work without domain admin. Therefore my SA user (domain admin) is restricted to login from my SA-2500's only.

As for authentication method, I have had success using only Kerberos (against Server 2008),and Kerberos/NTLM2 against server 2003r2.

zanyterp_
Respected Contributor

Re: AD Authentication Problem?

1) The IVE needs to have a computer object name that it creates on the domain. The IVE does have a default name it uses; you can override that if desired

2) Yes, the user account listed needs to be a domain admin or have the rights defined in the Junieper KB on this question (I believe the link is http://kb.pulsesecure.net/KB2624). This is needed to bind to the domain to retrieve group information and allow users to change passwords.

3) Any of them will work; it is your call.