cancel
Showing results for 
Search instead for 
Did you mean: 

Admin Credential for AD server authentication

freddywo_
Occasional Contributor

Admin Credential for AD server authentication

Version : SSL VPN 6.2.

Currently, we are using AD server authentication. Under the AD server settings, we need an administrator account for authentication. We are using the domain admin right now. However, we don't want to use an account with too much privileges.

What admin credentials are required? Domain admin is a must? Please help! Thanks...

6 REPLIES 6
Lilja_
Frequent Contributor

Re: Admin Credential for AD server authentication

I think the account only needs read-access.

MattS_
Frequent Contributor

Re: Admin Credential for AD server authentication

Does KB2624 give the information you require?

freddywo_
Occasional Contributor

Re: Admin Credential for AD server authentication

According to KB2624, it seems require below permissions:

- Create Computer Objects and Delete Computer Objects

- Reset PasswordÓ and Modify PermissionsÓ on Computer objects

- Reset Password on User objects

In our AD structure, we have serveral different OU to contain Computer & User objects. So it means I need to grant the same permissions for 'that user' on those OU instead of the 'Computer' & 'User' OU on the top level???

ruc_
Regular Contributor

Re: Admin Credential for AD server authentication

I have not tested this however I think from the three points you highlighted, for #1 and #2 its enough if you provide this on the OU where the SA is added (By default its the 'computers' OU, however its configurable via the UI) And for #3 I think you will need on the OU where SA is added and all OU's where your users are present and number # 3 may be needed only if you use PAssword Management Integration via SA.

freddywo_
Occasional Contributor

Re: Admin Credential for AD server authentication

KB2624 seems talking about 'join domain', is it can also apply for AD authenticate? Please kindly advise. Thanks.

spuluka
Super Contributor

Re: Admin Credential for AD server authentication

The manual simply instructs us to use a domain adminstrator group account for the AD connection. KB2624 is about joining the device to the domain but the permissions listed there are the same as the updated KB15154 discussing what is needed for AD 2008 connections. So it seems this permission list could be considered the minimum needed for the AD connection. I was surprised not to see a read setting applied. I thought that to pull the group associations it would need more permissions than what is listed in these two notes. You could have you local Juniper Systems engineer confirm that for you.

Special permissions account

Regarding AD permission application, Microsoft recommends using security groups instead of individual accounts when delegating AD permissions. This is true even if the group only has a membership of one user. AD is an inheritence based system, so you could delegate these permissions to the top of the tree and let them cascade down if you don't want to apply them specfically to the OUs that have your users and computers in the remote pool.

Non-interactive Administrator

Another alternative is to create an account that you add to the domain administrators account and use this for the AD connection. This will have all the permissions and not require any delegation. You then secure this account by assigning the deny local logon and the deny terminal services logon permissions. This means the account can only be used via the remote connection from devices like the SSL-VPN and cannot be used to log on to servers or computers directly.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home