Solved: Juniper SA - AD problems

Martin2008_ · ‎12-26-2008

Hi All!

We have a SA-4500 6.1R4 and we authenticate direct against our Active Directory... normaly role mapping and displaying role webpage works OK... but it seems like when user is a member of a few specific Global groups ( one of the global group is not used for role mapping or anything else with the SA) the role webpage after sign in times out... user gets - Internet Explorer connot display this page

If I do a record policy trace while the user logs in the trace stopps at Getting directory information from auth server

Severity ID Message
Info PTR10103 2008/12/27 09:25:29 - [10.7.100.13] - admin(Admin Users)[.Administrators] - perstorp\septpnihtesterstorp - Policy Tracing turned on
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - NTLogin(xxx.xxx.xxx.xxx, PERSTORP\septpnihtest, PERSTORP, juniper4500, no, , yes, 1, 15, Juniper_SA4500 Computers)
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - Use any auth protcols
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - Performing winbind based Authentication...
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - Fetching machine config from ntjoinserver for domain PERSTORP is successful
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - Winbind Authentication status 0(NT_STATUS_OK) for user septpnihtest
Info PTR23397 2008/12/27 09:25:40 - septpnihtest(Perstorp)[] - NTLogin done.
Info PTR23344 2008/12/27 09:25:40 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Authentication successful to auth server "Perstorp"
Info PTR23371 2008/12/27 09:25:40 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Getting directory information from auth server "Perstorp"
Info PTR10104 2008/12/27 09:27:48 - [10.7.100.13] - admin(Admin Users)[.Administrators] - perstorp\septpnihtesterstorp - Policy Tracing turned off

If I remove the user from the specific AD global group, the user can login (role mapping works)

Severity ID Message
Info PTR10103 2008/12/27 09:19:56 - [10.7.100.13] - admin(Admin Users)[.Administrators] - perstorp\septpnihtesterstorp - Policy Tracing turned on
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - NTLogin(xxx.xxx.xxx.xxx, PERSTORP\septpnihtest, PERSTORP, juniper4500, no, , yes, 1, 15, Juniper_SA4500 Computers)
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - Use any auth protcols
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - Performing winbind based Authentication...
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - Fetching machine config from ntjoinserver for domain PERSTORP is successful
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - Winbind Authentication status 0(NT_STATUS_OK) for user septpnihtest
Info PTR23397 2008/12/27 09:20:07 - septpnihtest(Perstorp)[] - NTLogin done.
Info PTR23344 2008/12/27 09:20:07 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Authentication successful to auth server "Perstorp"
Info PTR23371 2008/12/27 09:20:07 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Getting directory information from auth server "Perstorp"
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - GetUserGroups(193.234.164.211, PERSTORP\septpnihtest, PERSTORP, juniper4500, no, , yes, 66, 15, Juniper_SA4500, Computers, 0)
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Rule Groups defined for the Realm are - PERSTORP/TS_PTP153_USERS_GG
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Rule Groups defined for the Realm are - PERSTORP/TS_PTP154_USERS_GG
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Rule Groups defined for the Realm are - PERSTORP/TS_PTP155_USERS_GG
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Rule Groups defined for the Realm are - PERSTORP/TS_PTP156_USERS_GG
Info PTR23397 2008/12/27 09:20:08 - [90.224.70.19] - PERSTORP\septpnihtest(Perstorp)[] - Rule Groups defined for the Realm are - PERSTORP/SSLVPN_NC_VPN_GG
And Role mapping continues..........

At one stage I thought it was the amount of groups that users where member of that was the problem... but If I removed the Global group and and added even more groups to the test user ... I was still able to logon!

So If any one else have experinced a similar problem please reply to this post...?

If I haven't been able to solve this until monday I will open a case with the Juniper support....

BR

XXX

Message Edited by Martin2008 on 12-27-2008 01:02 AM

Message Edited by Martin2008 on 12-27-2008 01:03 AM

Message Edited by Martin2008 on 12-27-2008 01:04 AM

Message Edited by Martin2008 on 12-27-2008 11:46 PM

Martin2008_ · ‎12-28-2008

OK! everything works after I disabled the trusted domains option in the Authentication server / Active DIrectory / Windows NT configuration view..

/XXX

View solution in original post

Martin2008_ · ‎12-28-2008

OK I think I have got on step closer, seems like when the global groups are members of an universal group we get this problem .... We have had this ad structure for ages and we havn't done any changes to the Juniper SA, so I don't have a clue why this problem appears now?!

/XXX

Message Edited by Martin2008 on 12-28-2008 01:06 AM

Martin2008_ · ‎12-28-2008

OK! everything works after I disabled the trusted domains option in the Authentication server / Active DIrectory / Windows NT configuration view..

/XXX

Juniper SA - AD problems

Juniper SA - AD problems

Re: Juniper SA - AD problems

Re: Juniper SA - AD problems

Re: Juniper SA - AD problems