We do generally define our AD servers on the SA as LDAP instances, but from the admin guide to use the automatic connections the server must be defined as a AD instance.

I've also tested this today, changing the server type in the realm used for machine authentication to LDAP causes a new error to appear in the logs:

2013-10-22 09:52:57 - ive - [xx.xx.xx.xx] Root::host/<hostname>.<domain>.com(PLAP)[] - Could not authenticate user host/<hostname>.<domain>.com in LDAP server LDAP-AD using protocol MSCHAPV2: challenge-response open protocols are disabled.

Also if using either of the options to auto establish with machine credentails and then switch to user credentials at login using an LDAP server fails, switch this to an AD instance and the user authentication works. Testing the LDAP server outside of the PLAP configuration works fine.

So it seems to me the only true way without changing GPOs and cryptographic settings of the AD is to use machine certificates for the machine authentication and then either user certs or an AD instance for the user connection.

I'm reviewing this requirement again for a specific customer and it looks like the only option without creating domain policies to allow NT4 cryptographic algorithms is to use certificates? As the domain servers are all Windows 2008 R2, has there been nothing done to enable this? If not it starts to question the use of machine username and password on the SA/MAGs, if it doesn't work, perhaps the admin guides should be updated to include a note on this limitation / caveat?

are you seeing this with 3.0R1 or 3.0R2?

can you disable certificate verification in IE and test?

when you connect directly in your browser does the error show?

3.0R2

This is machine auth.. not end user browser auth (so doing those things with IE does not apply here). The message is in Pulse directly. I have it all set up per the admin guide. I do not have any device certificate errors, etc. I have AD set up to auto enroll Machine Certficiates. That works. The AD CA root cert is in the machine cert store trusted authorities. I also imported the Juniper device cert public key as a trusted authority. Verified via mmc snapin.

In juniper access logs it simply says:

Info AUT23457 2012-06-20 16:08:22 - ive - [172.25.202.17] OLYMPIC\WIN7-LAB-32$(Plotnik)[] - Login failed using auth server Olympic-AD (Samba). Reason: Failed

And in the event logs on AD I see these details for an audit "success" event. So it was successful (as in Juniper did some kind of credential auth at the machine level for the cert and it was successful) but Juniper says it is not? and "WIN7-LAB-32" is the client PC machine name (not a username). As a side note, general testing of username/password auth for AD works fine.

+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {5484625-5478-4994-A5BA-3E3B0330D}
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-06-20T23:08:05.886799400Z
EventRecordID 8739
Correlation
- Execution
[ ProcessID] 452
[ ThreadID] 2892
Channel Security
Computer 2K8.ol.com
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName WIN7-LAB-32$
Workstation \\JUNIPER1
Status 0x0

ok; looks like there were two scenarios posed in the original query: one with pulse through the browser for initial install (which is why i asked about the root CA being installed in the certificate store in the browser).

you also reference machine auth; however, i'm not sure when.where you are seeing this.

the error message you posted is indicative of the AD server denying login (such as invalid user credentials).

the machine is trying to login and that is my expected reason for what you are seeing.

Hi MrSprinkles,

Did you manage to resolve your issue with machine auth using machine username / password. I appear to be having the exact same issue, with the IVE reporting Samba failed. Out of interest is your domain Server 2003, Server 2008, or Server 2008R2? The reason I ask is because I remember the SA having some issues with 2008R2 and I'm wondering if this could be related especially as the message relates to Samba.

Cheers