Solved: SA700: Authenticate users by Active Directory, can...

ym_ · ‎04-22-2008

Hi,

I am trying to configure the SA700 to authenticate users by the AD in the domain. I tried to add an authentication server by Authentication > Auth. Servers > Active Directory / Windows NT > New Server.

I entered the details in the "New Active Directory/ Windows NT" page that follows, leaving the "Backup domain controller " field blank and "Allow trusted domains" unchecked. I selected "Use LDAP to get Kerboros realm name".

When I hit the "Test configuration" button, there is a warning message "Either the server is not a domain controller of the domain or the Netbios name of the domain is different from the active directory (LDAP) name." I am sure the server IP address I entered is the domain controller. Not very sure what the second part of the error message means.

There is also an error message:

Error while joining domain [domain name]. Possible causes:

- The specified administrator credentials do not properly authenticate (I am sure this is not the case)

- The specified domain or domain controller may not be valid (I am sure this is not the case, AD machine can ping SA700)

So what else needs to be configured?? or did I not configured correctly??

Regards,

ym

dusannovakovic_ · ‎04-26-2008

To join Domain successfully -

Use a Domainadministator Account or Useraccount with permission to create objects in Active Directory
give in the Admin Username without Prefix! (Use Administrator and NOT domain\administrator
For the computeraccount name use a name like ivenode1 and NOT a name like ive-node-1
When joined the domain, refresh your view of Active Directory (adminpack.msi) to see the computeraccount in Active Directory
Between IVE and DC Ports TCP139 and 445 must be reachable
The Warning "Either the LDAP Name of the Domaincontroller ...." is just a warning and not an error, so dont care about it
When you want to do rolemapping based on groupmembership active directory, use the SEARCH button in IVE Server Catalog to find the groups
DONT type in the name of the groups in the IVE Server Catalog, it will not work. When you search for the groups, it needs some minutes, so go and dring a coffee while you wait. Once the AD-Groups are added to the IVE Server Catalogue, the SID is cached (winbind) on IVE and the autorization process goes fast and stable

This Topic drove me insane in da brain, i hope these expiriences help a little bit to make your day.

View solution in original post

Frac_ · ‎04-23-2008

Hi,

the problem could be that you have done this:

domain: "test.com"

but the domain needs to be "TEST"

Hope this helps you.

GreetZ,

Frac

NDCool_ · ‎04-23-2008

Hi YM,

i also had same problems with auth using AD before. but now i using LDAP auth to get users from my AD. and working fine.

u can using Softerra LDAP Browser software to get LDAP setting on your AD server.

hope can work fine.

rgds

=ND=

ym_ · ‎04-23-2008

Hi Frac,

Thanks. Your reply helped solve my problem. The users can login now.

Hi NDCool,

I tried the LDAP auth before, but always hit the error of "LDAP server not reachable for server [ip address] at port 389" when I tried to "Save Changes". "Test Connection" is fine. I will try to figure out how the Softerra LDAP Browser can help.

Another question:

I have some users in the AD that do not need to authenticate using a smartcard. These users login ok when using "Active Directory / Windows NT" for authentication.

I have some users in the users that require a smartcard for login. How should I set up the authentication policy for them then? Tried "Active Directory / Windows NT" but always login fails.

Thanks.

stijn_ · ‎04-24-2008

What smartcard product are you using? You will need to create a cert authentication server and add it to the authentication realm. In that way the users will need to select manually the login method they want to use, AD or cert.

Stijn

Message Edited by stijn on 04-24-2008 08:52 AM

ym_ · ‎04-24-2008

Hi,

Actually the user will login into the PC/Laptop using a smartcard and password. I am trying to configure the SA700 such that the user is able to SSO by clicking on the Network Connect and enter into the VPN without needing to enter password and username anymore.

Thanks.

Frac_ · ‎04-24-2008

hi ym,

No problem.

for your other question. just use the smartcard certificate (if it has one) to authenticate to the ssl appliance. (the only thing user will have to do (if you want some security user will need to type password to unlock that certificate)).

so just make a new authentication server and attach it to new realm. attach that realm to a new url (so it uses authentication server Certificate).

Only thing user need to do is to click on the NC icon to start it (be sure it points to correct URL)

And then it should work.

GreetZ,

Frac

ym_ · ‎04-24-2008

hi Frac,

When I am at Authentication > Signing In > Sign-in Policies > User URLs, there is only 1 entry. How can I add more entries to try your suggestion? There is only "Enable", "Disable","Save Changes". I am expecting a "Add URL" or something similar but there is none.

The most I can do is change the sign-in URL, which is different from adding another sign-in URL.

Do provide instructions to add sign-in URL if possible. Thanks.

stijn_ · ‎04-25-2008

Adding custom URLs is only possible with the advanced license... But there is no advanced license available for the SA700 so you can only have 1 sign in URL

dusannovakovic_ · ‎04-26-2008

To join Domain successfully -

Use a Domainadministator Account or Useraccount with permission to create objects in Active Directory
give in the Admin Username without Prefix! (Use Administrator and NOT domain\administrator
For the computeraccount name use a name like ivenode1 and NOT a name like ive-node-1
When joined the domain, refresh your view of Active Directory (adminpack.msi) to see the computeraccount in Active Directory
Between IVE and DC Ports TCP139 and 445 must be reachable
The Warning "Either the LDAP Name of the Domaincontroller ...." is just a warning and not an error, so dont care about it
When you want to do rolemapping based on groupmembership active directory, use the SEARCH button in IVE Server Catalog to find the groups
DONT type in the name of the groups in the IVE Server Catalog, it will not work. When you search for the groups, it needs some minutes, so go and dring a coffee while you wait. Once the AD-Groups are added to the IVE Server Catalogue, the SID is cached (winbind) on IVE and the autorization process goes fast and stable

This Topic drove me insane in da brain, i hope these expiriences help a little bit to make your day.

SA700: Authenticate users by Active Directory, cannot join domain

SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain

Re: SA700: Authenticate users by Active Directory, cannot join domain