We are having issues pulling group memberships out of AD - during a capture I noticed the groups were pulled successfully from the primary DC, but then the appliance tries to connect to a few of our child domains which we have blocked by firewall policy. We don't' have the child domains defined anywhere - is this typical behavior? After it times out, none of the groups that it learned from the primary DC show up in server catalog.
Solved! Go to Solution.
If you have the option to allow trusted domains enabled, yes, this is normal & expected.
Another way that this could happen is if there is a referral on the response from the server. If this happens, the IVE/MAG will reach out to the servers/domains that are required by the referral from the DC.
Thanks for the reply. I have it defined as an LDAP server instead of AD so the allow trusted domain option wasn't available. I'll reach out to our server guy regarding the referral.
You are right, we narrowed down our group search filter yesterday to only search the container holding our group memberships and it's no longer reaching out to the child domains.
We've run across another issue though and I'm hoping you might be able to help; the SA sits in one environment, and we have a one-way trust relationship with another DC in a separate forest. I'm able to authenticate users in the local domain on the appliance but not from the trusted domain. According to JTAC, authentication with AD using cross-forest trust is not supported.
Is it possible to define a RADIUS server as auth, and still use LDAP as the authorization server to pull group memberships? I'm a bit cloudy on how the group fetching wil work when using RADIUS, or if you have any other suggestions that would be great.
Yeah we found that out the hard way. A JTAC rep suggested that cross-forst trust is possible using a two-way trust - have you ever tried that? Just trying to wrap my head around why the appliance would care of the the trust was one vs two way.