I've experienced this issue quite a few times lately. It happens spontaneously to random users at random times. Most of the time, it will happen in the evening and the next morning if I test in the office, it works.
The users will get you are not authorized to sign in. In the VPN url, "no roles" is appended. In reality, the user does have a role mapping. I'm unsure if there's an issue with the sync or SA attempting to contact the AD group for ID and group membership resolution (seems that way). Has anyone seen this or have advice on how to resolve it? I called jtac on it, they can't seem to figure it out.
We log in via web and not NC direct. Running 8.0R5. All realm-role mappings are based on group membership look up for the mappings. When I go in to the users logs = "Login failed. Reason: No Roles".
Any advice or suggestions would be appreciated.
The main reason I see that message is that the User has selected the incorrect realm to log in to.
They do have a role mapping, but it's in another realm.
How long do the outages last? Is it long enough that you can grab a policy trace for the user?
With it happening randomly, are users contacting you/your helpdesk for assistance when it happens? If yes, does your helpdesk have a delegated admin role for troubleshooting permissions?
Typically this error happens if the group listing does not come back from the server with all the groups. Some things to check:
How different is the time on your SA and DC?
Is the admin on the DC domain admin?
Are you using nested groups?
Does the DC show any failures?
If you are using DNS, does it change if you switch to a static IP to force connection to a specific device?
If you are using trusted domains, does the issue resolve if you disable that?
Casey, thx..but this is unrelated to sign in urls, realms, roles...all of that is accurate.
Zan, thx. Unfortunately with this issue, it's a bit tougher to work with. The calls come in for these in the evenings and the support staff don't have access to the MAG so it's just recorded and referred off to the day staff (me). By the time I get it, I can't replicate the issue with the user...I'm able to log in no problem in the morning or day with that same user so I can't execute a policy trace or much tshooting. I saw this issue once or twice a couple mths back and resetting the IE settings fixed them bc active x was stuck, but these are unrelated it seems.
In terms of troubleshooting, I can just see the user access logs. The authentication phases are successful but immediately after we get the "Login failed from x.x.x.x for "userid" - all roles restricted. Login failed. reason: no roles. It's defiitely an AD/DC issue of some sort.
Thanks for pointing me to the right directions. I'm investigating a few of your questions and will get back on the outcome. Nested groups is set to 0. I believe you can only enable trusted domains with legacy ldap and sa 7.x...I don't have an option in my ldap server config on the mag to enable or disable trusted domains. DNS, do you mean hardwiring it on the eu machine to something like google? I haven't tried any of the EU tshooting bc I can't replicate it right now.
Do you have low enough useage at night to start a trace dump with a filter for the AD or LDAP host?
Troubleshooting / Tools / TCP dump : host 10.1.2.1 (whatever your role mapping refers to in lookups)
You could start it at shift end and stop and get it at shift start, unless you have high use at night.
Another thought is to set-up a syslog aggregator, like Splunk, and set your event logs to capture everything and send them to it. Also, if possible, have your AD logs sent there.
This issue is really driving me nuts.
I noticed the Primary LDAP server was not reachable so the Backup has been taking all of the requests. I made changes and updated the Primary so all 3 LDAP servers are now reacahble.
Confirmed NTP...Time sources are the same on the SA and DC.
DC is showing no errors or failures in the logs. We pulledup the time stamps for the users who were failing and nothing came up in the logs for those users or pcs.
Our server team said making the sa admin account a DC Domain Admin account is highly unsecure and will never fly.
I was hoping with the changes I made, it would help but I had another user fail this morning at 9AM. The problem is, it's with random users, random times. Might be hard to enable tcp dump all day and night.
Any other ideas?
I have an update on this one.
I caught a couple users with the issue and pulled policy traces on them. I'm unsure if it's related to the others bc of the behavior. The others would work on it's own at a different time but these latest cases don't work at all for days until I temporarily fix them. I still don't have the permanent solution...still working on that.
The policy traces are showing the cause of this related to host checker.
I have two temproary fixes
1. If I clear IE to it's default settings and delete personal settings - it prompts for active x at the next sign in to accept and it logs in
2. If I access the VPN via the network connect application direct instead of IE, it works (program files - juniper networks - network connect 8.0 - network connect
These are the last remaining lines of the policy trace results:
|info - (NC-Realm)[NC-Role] - 2014/12/11 12:14:13 - Realm Staff - Strong Auth mapped user userid to roles NC-Role|
|info - (NC-Realm)[NC-Role] - 2014/12/11 12:14:13 - Host Checker restriction check failed for role NC-Role|
|info - (NC-Realm) - 2014/12/11 12:14:13 - Resuming sign-in process|
|info - (NC-Realm) - 2014/12/11 12:14:13 - Host Checker restriction check failed for role NC-Role|
|info - (NC-Realm) - 2014/12/11 12:14:13 - All roles restricted|
|info - (NC-Realm) - 2014/12/11 12:14:13 - Sign-in rejected. Reason: No Roles|
Still trying to figure this one out. If anyone has experienced this, would love to hear your feedback.
It looks from the logs like your issue is with Host Checker. They say it is failing for all roles. We don't apply Host Checks at role level but I have seen something similar with Realm level checks. This normally indicates a corrupt HC installation. Uninstalling and re-installing normally resolves the issue but if you are repeatedly getting the issue it could be something in your environmentis conflicting with host checker.
The fact it works with the Network Connect application and clearing IE settings suggests it could be something in the IE configuration.
I've seen this issue before. My issue was having a AD group assign to the Mag that had no users assign to it.
I have also seen this issues when using diffrent browser then IE when hostchecker could not complete full instalation. For example we had huge issues for example when internals where trying to use Chrome to donwload Junos Pulse via Web browser.