cancel
Showing results for 
Search instead for 
Did you mean: 

SA2500 Unable to Authenticate to AD

NetBlocked_
Not applicable

SA2500 Unable to Authenticate to AD

Hi all,

I've run into a roadblock configuring a managed SA2500 and was hoping someone could offer some insight. The SA2500 is allowing authenticated access to users just fine. I want to add the ability for users to authenticate through the SA2500 via AD, which is where I'm encountering issues. The user 'vpn' has been created with administrator access on the AD. Here is the current setup:

System Version: 7.0R2 (Build 16499)

Authentication Servers has Active_Directory which is an 'Active Directory/Windows NT' type

Primary Domain Controller/AD: 10.x.x.1

Secondary Domain Controller/AD: 10.x.x.2

Allow domain to be specified as part of username: checked

Allow trusted domains: checked

Domain Controller is a Windows 2008 server: checked

Admin Username: vpn

Admin Password: filled in

Authentication protocol

Kerberos: checked

NTLM v2: unchecked

NTLM v1: unchecked

Kerberos Realm Name

Use LDAP to get Kerberos realm name: button selected

View Advanced Options

User may belong to Domain Local Groups across trust boundaries: checked

Container Name: Computers

Computer Name: vcxxxxxxxxxxxxx

User Record Synchronization

Enable User Record Synchronization: unchecked

When testing this setup (and several variations), it returns a could not authenticate error. I'm out of ideas on what could be going on with the device. Has anyone encountered something similar when configuring their SA2500? Any input would be appreciated.

Thanks in advance,

Netblocked

1 REPLY 1
stine_
Super Contributor

Re: SA2500 Unable to Authenticate to AD

A couple of things to check:

1) the account "vpn" is either a domain admin, or has been set up with the permissions required (there's a KB on it)

2) the times are synchronized to within 5 minutes (Kerberos will not function with a delta > 5mins)

3) the user account can actually log into the domain (isn't locked, doesn't have log-in-from restrictions)

If you've done those things, use the SA's troubleshooting tools to capture the traffic between the SA and your DC(s) and look at the LDAP flow. you should be able to determine exactly what your DCs are returning to the SA.