cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticating to Active Directory

SOLVED
scoutt_
Contributor

Authenticating to Active Directory

We currently have SA-2500 setup with LDAP to Novell. We are moving to ActiveDirectory and need to verify a few things.

Do we use LDAP and set it as ActiveDirectory or we we create a new server as Active Directory / WindowsNT ? Which is better?

And on top of that, does the user that is used to connect require it to be Admin on the domain? So far it appears to be a requirement. Is there a way around this if we don't want to use a "Administrator" to connect to AD.

1 ACCEPTED SOLUTION

Accepted Solutions
kalagesan_
Super Contributor

Re: Authenticating to Active Directory

Hi,

Creating a new server as Active directory on windows 2003 or 2008 would be better, this can be used for LDAP as well.

With Active Directory (AD) on Windows Server 2000, Windows Server 2003 and Windows Server 2008, IVE can 'join domain' without using a Domain Admin account.

Detailed information is captured in Juniper knowledge base article KB2624, you can access the same using below URL:

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB2624

Hope this resolves your query.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

View solution in original post

8 REPLIES 8
kalagesan_
Super Contributor

Re: Authenticating to Active Directory

Hi,

Creating a new server as Active directory on windows 2003 or 2008 would be better, this can be used for LDAP as well.

With Active Directory (AD) on Windows Server 2000, Windows Server 2003 and Windows Server 2008, IVE can 'join domain' without using a Domain Admin account.

Detailed information is captured in Juniper knowledge base article KB2624, you can access the same using below URL:

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB2624

Hope this resolves your query.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

scoutt_
Contributor

Re: Authenticating to Active Directory

Thanks Kal,

But it appears to me that it is still wanting admin permissions if you allow "permission to Create Computer Objects and Delete Computer Objects in the Computers container." We created a "Service Account" that is not admin and it still wants admin. If we grant thos epermissions than it is not a "user" anymore, correct?

scoutt_
Contributor

Re: Authenticating to Active Directory

once making the change it all works. Thanks for the help. I suppose ti is not making him admin so all is good.

ruc_
Regular Contributor

Re: Authenticating to Active Directory

When creating an Active Directory authentication server instance the choice between using LDAP interface and using native interface (Active Directory / WindowsNT) depends on each environment however I usually lean towards LDAP due to the following:

 

1. The LDAP interface is standards based: The advantage of this are

a. Lesser chances of interpretability issues

b. Easier to troubleshoot and isolate issues.

c. Quicker support for newer versions (for example When Windows 2008 server was introduced the SA platforms supported the LDAP method from day one)

 

2. Higher degree of control with group lookup/role mapping:

a. You can define where in the directory structure should group lookup start. (results in faster group lookup in very large directory structure)

b. You can either chase a group and check if a user is a member of that group or chase a user and see which groups the user belongs to.

c. You can leverage user attributes for role mapping

 

3. Better Password Management functionality (password complexity, advance password expiration notification)

stine_
Super Contributor

Re: Authenticating to Active Directory

If you search for it, there's a KB article that defines precisely the privilieges that an account must have (if not using a domain admin account) in order for all aspects to function (inclucing password changes).

In my case I simply set the hostname the IVE uses, and the restrict my domain admin account to login only from that machine. YMMV.

zanyterp_
Respected Contributor

Re: Authenticating to Active Directory


@stine wrote:

If you search for it, there's a KB article that defines precisely the privilieges that an account must have (if not using a domain admin account) in order for all aspects to function (inclucing password changes).

 

In my case I simply set the hostname the IVE uses, and the restrict my domain admin account to login only from that machine. YMMV.


http://kb.pulsesecure.net/KB2624

ed_gpc_
Occasional Contributor

Re: Authenticating to Active Directory

As a word of advice, use AD LDAP over AD. The login performance is much better and you get a lot more options to auth against and use for permissions.

We have a large install and login with AD was taking about 60 seconds. By changing this to AD LDAP, it's now ~<2 seconds

Has to do with the way the boxes process group membership

zanyterp_
Respected Contributor

Re: Authenticating to Active Directory

Yes, if you don't make the user an admin and use the AD/NT server, it will not work. The only way to make this work is to have admin rights (or at least the minimal rights defined in the previously mentioned KB)