Juniper SA does not sync with AD as it does not maintain the user database. Each time a user attempts to logs in, the SA simply validates the credentials against the AD server and then does the group lookup.

Have you tried policy tracing tool available under Troubleshooting > user sessions?

I get this for me and I can log in......

Info

and this for her under the Remote Realm it can't find her group.

this for her under the Staff Realm and it has no issue.

No other users I have set up have issues with any groups / roles under this Realm.

It doesn't seem to make sense when other users who are members of the AD group I created can access the Remote Realm, but anyone new I have tried to add to this AD group fails.

Is this an AD problem?

Ok - dumb question of the day - If you go into role mapping and select groups and do a search for the group - I assume you can see the group just fine. If that is the case then it is probably not an SSL issue. A couple of thoughts. Have you tried using LDAP for your authorization instead of AD and seeing if going in through an LDAP credential makes a difference?

Also it might be useful to do two packet captures - one good and one bad and see the actual error code returns prior to the SSL translating it.

Yes I have double checked all that.. the list shows up without issue.

I have not tried LDAP

I have not tried packet capture as it is not an area I have dabled in.

LDAP I set it to be my authenticating server and i could not log on at all with that username / password. Would it not take the same logon name? (my dumb question of the day)

LDAP .... do you have a recommendation for a book on understanding LDAP in relation to AD?

LDAP works very well instead of AD. In fact I almost never configure AD for authorization as you are limited to groups only. You need to make sure you properly define your LDAP server but you can use AD for authentication (1st auth server) and just use LDAP for authorization (2nd auth server - Directory / Attribute). If you have not done this before and need some help I can send you a couple of screenshots of an LDAP setup against an AD server.

If you setup LDAP properly as you authorization server you should most definetly be able to login with a normal user name/pass.

Hmm - understanding LDAP and AD - I wish I knew a good book - I never found one - maybe someone else can recommend.

I would suggest getting a couple of tools - Softterra LDAP admin is a great tool and you can get a 30 day trial download - they also have a freeware version for looking at your AD through the prism of LDAP.

Screen shots are very welcome as I'm thinking it is just not set up right on the AD sever.

It just doesn't make sense why it was working an now the new users I have added to the group fail. Previously added users are fine.

So it would be good to see if LDAP works or not or maybe we have something more serious going on.

I definitly see the benefits of LDAP just something more I have to learn though... lol. OW, my head. Seems like these days you barely get a handle on one thing and then VP's want to do this / do that. It's all good stuff, but it is challenging enough to keep up.

Dave

Send me a private message with your email address. Will send to you.