SA no longer role mapping based on AD group member...

Freaky_ · ‎03-16-2010

Hi there,

several months ago we setup a SA appliance to authenticate against AD on a windows 2008 domain. This was working fine, until a couple of days ago.

Not sure if it matters... about a month, maybe 2, ago we changed the administrator password. It now contains some special characters. We have updated the password in the SA, but it doesn't help.

Anyways when trying to log in users get the message:

You are not allowed to sign in. Please contact your administrator.

In the logs it will show that there are no roles for the user, but the authentication is fine.

So far we have trashed the role mappings, removed the groups from the list on the SA, searched them and added them again and then recreated role mappings. This doesn't help at all, it does however prove the SA can find the groups just fine. The test on the authentication server itself also runs without any errors. Recreating the authentication server (and then logically the role mappings) didn't help either.

Upgrading to 6.4R5.1 didn't do anything either.

I did a policy trace and it looks to me like this is where it all goes to hell:

info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - GetUserGroups: Finding user sid of user failed. user 'AD-User-with-adminperm' does not exist

But no clue on how to solve it. Note that usernames, external IP addresses and other sensitive information has been replace (with find/replace so should be accurate).

Any ideas on what's causing this?

TIA

Full policy trace:

=============

info - [10.1.1.254] - juniper-sa-admin-account(Admin Users)[.Administrators] - 2010/03/16 02:09:28 - THEDOMAIN\AD-User-with-adminperm:Users - Policy Tracing turned on
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - NTLogin(10.1.1.1, THEDOMAIN\AD-User-with-adminperm, THEDOMAIN, administrator, no, , no, 0, 11, Juniper-SA700 Computers)
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Use NTLMv2 only,NTLMv1 is disallowed
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Performing winbind based Authentication...
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Fetching machine config from ntjoinserver for domain THEDOMAIN is successful
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Winbind Authentication status -1073741712(NT_STATUS_INVALID_WORKSTATION) for user AD-User-with-adminperm
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Performing Authentication using Kerberos ...
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Trying KDC Server=10.1.1.1, user realm=THEDOMAIN.LOCAL for krb authentication
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Authentication using Kerberos is successful
info - AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - NTLogin done.
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Authentication successful to auth server "AD-Auth"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Getting directory information from auth server "AD-Auth"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - GetUserGroups(10.1.1.1, THEDOMAIN\AD-User-with-adminperm, THEDOMAIN, administrator, no, , no, 3, 11, Juniper-SA700, Computers, 8)
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Rule Groups defined for the Realm are - THEDOMAIN/SSL-VPN-Admin==S-1-5-21-3742840757-2288406602-4221144205-1444
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Rule Groups defined for the Realm are - THEDOMAIN/SSL-VPN==S-1-5-21-3742840757-2288406602-4221144205-1409
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Rule Groups defined for the Realm are - THEDOMAIN/Domain Admins==S-1-5-21-3742840757-2288406602-4221144205-512
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Use NTLMv2 only,NTLMv1 is disallowed
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Fetching machine config from ntjoinserver for domain THEDOMAIN is successful
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - GetUserGroups: Finding user sid of user failed. user 'AD-User-with-adminperm' does not exist
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - There are no groups obtained for the user
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Retrieved directory information from auth server "AD-Auth"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Realm Users running 3 mapping rules for user THEDOMAIN\AD-User-with-adminperm
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable user = "THEDOMAIN\AD-User-with-adminperm"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable password = "****"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable userName = "AD-User-with-adminperm"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable protocol =
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable realm = "Users"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable loginTime = Tue Mar 16 02:09:45 2010
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable userAttr =
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable groups =
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable loginURL = "*/"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable sourceIp = w.x.y.z
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable loginHost = "vpn.remote-url.com"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable userAgent = "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100307 Gentoo Firefox/3.6"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable networkIF = "external"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable ntdomain = "THEDOMAIN"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable ntuser = "AD-User-with-adminperm"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable defaultNTDomain = "THEDOMAIN"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable [email protected] = "THEDOMAIN\AD-User-with-adminperm"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable [email protected] = "****"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable [email protected] = "THEDOMAIN"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable [email protected] = "AD-User-with-adminperm"
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable group.THEDOMAIN_SSL-VPN-Admin = false
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable group.THEDOMAIN_SSL-VPN = false
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable group.THEDOMAIN_Domain Admins = false
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Variable cacheCleanerStatus = false
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - No match on rule 'groups = 'THEDOMAIN/SSL-VPN-Admin''
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - No match on rule 'groups = 'THEDOMAIN/SSL-VPN''
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - No match on rule 'groups = 'THEDOMAIN/Domain Admins''
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Realm Users did not map user THEDOMAIN\AD-User-with-adminperm to any roles
info - [w.x.y.z] - THEDOMAIN\AD-User-with-adminperm(Users)[] - 2010/03/16 02:09:46 - Sign-in rejected. Reason: NoRoles
info - [10.1.1.254] - juniper-sa-admin-account(Admin Users)[.Administrators] - 2010/03/16 02:12:51 - THEDOMAIN\AD-User-with-adminperm:Users - Policy Tracing file downloaded for user

Freaky_ · ‎03-16-2010

Have another odd thing.

Tried replacing the administrator account credentials in the SA with another AD administrator account. The SA keeps spitting out this error with this alternative account:

You can not change the password of the IVE computer account on the active directory server using the specified administrator credentials.

The account is member of domain admins, enterprise admins and schema admins and should thus have sufficient rights. We use it to join computers to the domain all the time, and never ran into issues with it.

After trashing the authentication server and the computer account from AD, then recreating the authentication server with this user account it still gives the same error when running test. The computer account does show up in AD btw... Strange issue.

MattS_ · ‎03-16-2010

Does http://kb.pulsesecure.net/KB15154 help at all?

Freaky_ · ‎03-16-2010

Nope already checked that. Then checked a user and a computer account. On neither of them I see our alternative admin account mentioned directly. Domain admins has a subset of the available rights and enterprise admins has all the checks. The user account is a member of both.

It concerns 2008 Essential Business Server. Perhaps they screwed up the rights somewhere from default, but I can't find it. Also don't have any issues with it joining XP/Win7 machines, altering users, changing passwords etc. Besides, it would only fix the issue with the alternative administrator account which would probably get us one step further towards the error we have with the normal administrator account.

This has been working fine for several months. It just stopped... There have been no changes on AD that we're aware of, besides whatever security updates from MS do. The rights are there, quite positive about that. I can change user password w/o issues and the normal administrator account isn't a member of any other high privileged groups other than this account.

The whole issue just doesn't make sense. As admin it can authenticate the user, find the SID's for the groups that are used in role mappings, and then can't find the SID for the user that (well tried to) logged on. Because it can't find that SID, it can't check the groupmembership, or so it appears.

Don't care what admin account it uses, it just needs to work. Created a work around by doing role mapping based on username, but it's not really manageable with over 50 users needing VPN access. Just throwing them in groups is much easier.

RKB_ · ‎03-17-2010

On the AD server search for the computer account that was created by SA.

This computer account should have the same name that is configured on the AD auth server instance.

Locate this and delete the account on the AD server. Now on the SA, goto the auth server and click on test config.

Try to repopulate the server catalogue.

To verify if the server catalogue is the latest one, try adding a new group on the AD server and see if the AD group is seen on the server catalogue.

Now try to login with the user and see if the group role mapping succeeds.

SA no longer role mapping based on AD group membership

SA no longer role mapping based on AD group membership

Re: SA no longer role mapping based on AD group membership

Re: SA no longer role mapping based on AD group membership

Re: SA no longer role mapping based on AD group membership

Re: SA no longer role mapping based on AD group membership