We have recently introduced another Active Directory domain into our organisation and I need to have Juniper query users in this domain but I don't seem to be able to get this going.
I've created another Auth Server pointing to the domain controller, created another Realm for users in this domain using the new auth server. I can get a user in the new domain to authenticate but the role mapping fails as it doesn't seem to be able to query the group membership for a particular user, to determine what roles they get.
Any assistance would be great?
Have you done a policy trace to see the errors? Maint / Troubleshooting / Policy Trace...... Select the Role Mapping option - it should help you see exactly what is occuring with the role mapping.
There are several ways to do this.....
I think your rolemapping will fail as you only have one auth realm, and when you authenticate againgst AD1, you cant rolemapping users from AD2.
I would do it this way:
1. Via Active Directory Auth Server
When the two ADs have trust relationship you can authenticate and authorize users from both ADs.
2. via IAS Radius on both Domaincontrollers and Radiusproxy
Very easy to install and configure. IAS can stable and easy authenticate Users from a domain and autorize via Group Membership configured in IAS RASPolicy.
IAS can act as Radius Proxy and send Authrequests to another IAS Radius via routing with the prefix. When user has prefix from AD2, Radiusproxy will send the radius request to IAS2.
I did do a Policy trace in the Troubleshooting section and basically all it is saying is that the user does not map to any role.
In relation to the groups in the role mapping rules, I click on the Group button and added in a new group (manually typing it in) then selected it from the list. I used the format domain/group name.
ahhhh so if you click on the rule for role mapping and click on groups and than do a search and if it does not find the groups that means that either your service account does not have permissions to access the server or your computer does not have rights to add it self to the domain. So unless your service account is a domain admin there are very specific access rights need to be assigned to the service group. Can you atleast as a test do the service account as a domain admin on the new domain?
When I click on Search I get a message "Failure to access the groups information due to network connectivity problems or invalid information."
The service account I am using has domain admin rights already, so not sure why this is occurring.
Just noticed when I go into the auth server for this new domain and click on the Test Configuration button I get a message stating:
Error while joining domain. Possible causes:
- The specified administrator credentials do not porpoerly authenticate
- The specified domain or domain controller may not be valid.
Again I believe I have the right details and permissions but obviously I'm missing something.
OK, in the Auth server, I have now selected "Use LDAP to get Kerberos realm name" rather than specifying the kerberos realm name and now my Test Configuration works and I can click on Search to bring up all the group.
However, for some reason the role mapping still doesn't appear to work?
Found this in the trace log which is probably causing my problems:
Info PTR23397 2009/03/06 08:34:34 - Fetching machine config from ntjoinserver for domain xxx failure
Info PTR23397 2009/03/06 08:34:34 - Winbind Authentication initialization did not succeed
Info PTR23397 2009/03/06 08:34:34 - There are no groups obtained for the user