cancel
Showing results for 
Search instead for 
Did you mean: 

NoRoles when using AD integration

Highlighted
New Contributor

NoRoles when using AD integration

I set up a new gateway, SA2500 running 7.1R11
Auth Server is  AD/Windows NT, 2008 server.
-Default settings on this page, 2008 server box is checked, Kerberos, NTLM1 and 2 are both checked.
Roles are assigned based on group membership.

When creating role mapping, the IVE is able to connect to the domain controller and view all of the domain groups.

 

When I test the configuration of the auth  server, I get -

Error while joining domain DOMAINX. Possible causes:
- The specified administrator credentials do not properly authenticate.
- The specified domain or domain controller may not be valid.
Also, the device's clock must be in sync with the Active Directory server.

 

I have verified the credentials, the domain controller and domain are valid and the time is sync'd.

 

When I try to log in to the IVE, I get an error message indicating I do not have permision to log in.

When doing policy tracing, I get the following, indicating authentication is working but group membership lookup is failing -

 

jroberts(DomainX)[] - NTLogin(10.21.1.22, DomainX\jroberts, DomainX, junipervpn, no, , no, 1, 15, vc00000a03a110 Computers) 
jroberts(DomainX)[] - Use any auth protcols 
jroberts(DomainX)[] - Performing winbind based Authentication... 
jroberts(DomainX)[] - Use any auth protcols 
jroberts(DomainX)[] - Join to domain DomainX failed (system, 0x00000016): Invalid argument. 
jroberts(DomainX)[] - Join to domain DomainX failed (nt, 0xC0000388): NT code 0xc0000388. 
jroberts(DomainX)[] - Fetching machine config from ntjoinserver for domain DomainX failure 
jroberts(DomainX)[] - Winbind Authentication initialization did not succeed 
jroberts(DomainX)[] - Performing Authentication using Kerberos ... 
jroberts(DomainX)[] - Trying KDC Server=10.21.1.22, user realm=DomainX.WEBROOT.COM for krb authentication 
jroberts(DomainX)[] - Authentication using Kerberos is successful 
jroberts(DomainX)[] - NTLogin done. 
DomainX\jroberts(DomainX)[] - Authentication successful to auth server "DomainX_AD" 
DomainX\jroberts(DomainX)[] - Getting directory information from auth server "DomainX_AD" 
DomainX\jroberts(DomainX)[] - GetUserGroups(10.21.1.22, DomainX\jroberts, DomainX, junipervpn, no, , no, 3, 15, vc00000a03a110, Computers, 8) 
DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_IT 
DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_DCO 
DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_Corporate 
DomainX\jroberts(DomainX)[] - Use any auth protcols 
DomainX\jroberts(DomainX)[] - Fetching machine config from ntjoinserver for domain DomainX failure 
DomainX\jroberts(DomainX)[] - Winbind Authentication initialization did not succeed 
DomainX\jroberts(DomainX)[] - There are no groups obtained for the user

**serveral logs snipped here which are probably not relevant**

DomainX\jroberts(DomainX)[] - Sign-in rejected. Reason: NoRoles

 

 

Troubleshooting -

I have verified Kerberos traffic being allowed from IVE to DC

I have tried using a different DC in my configuration

I have deleted the computer account from AD, deleted the Auth server from the IVE and tried again.

I have re-named the "computer name" in the IVE under 'auth servers/server/advanced options'

rebooted/restarted services on IVE

Both upgraded and downgraded IVE

 

Anybody have any ideas?
Thanks

3 REPLIES 3
Highlighted
Super Contributor

Re: NoRoles when using AD integration

Hi,

 

Are you entering the pre windows 2000 name or nebios name of the DC when confiuring the AD server on the SA

 

the credential you are using should belong to group domain admin

 

you can also configure an ldap server and use AD for authentication and LDAP for authorization and test

 

Regards,

Jay

Highlighted
New Contributor

Re: NoRoles when using AD integration

I am using the IP address of the DC(s) I have configured in the SA.

The admin account does have the proper permissions. - I have 3 other SAs deployed in other parts of my environment, all are configured for the same type of lookup, all using the same admin account.

The SA is able to browse all domain groups and is able to authenticate users, it just appears that it is unable to correlate username to group memebership.

 

I looked at a TCP dump of my trying to "test configuration" of the auth server. It "looks" like everything is going fine until the SA does a "NetrServerAuthenticate2 request" the DC responds with an unknown error (0xc0000388), then the session si closed by the SA.

 

I did try to do group membership via LDAP, I haven't had any luck with that yet either. I am not sure if I have my syntax correct in all of the fields required, I am still researching.

 

thanks,

j

Highlighted
Occasional Contributor

Re: NoRoles when using AD integration

What is the domain fuctional level and Forest functional level?

 

 

Would you please check with NTCompatibility mode flag settings.

 

 

Enable  this flag (Allow cryptography algorithms compatible with Windows NT 4.0 policy)

 

for more details please refer the following KB:

 

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB16105

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks