You are welcome; hope the switch goes well for you when you are ready.

In the meantime, you should also be able to use the LDAP server type on the IVE until you are able to upgrade the IVE for AD 2008 support.

So if I got you right, you did a policy trace on a user facing that problem. What checkboxes did you check?

Does any other logs (error / user / admin) show an errormessage (what options did you check for those logs).

Is maybe a systemsnapshot created?

Hi,

I checked pre-auth, auth, role mapping

-checked all under web policies

-and checked SAM policies and terminal server policies.

The eventlog shows nothing, neither does the admin/user log, and all options are checked for these logs.

I have not yet made a system snapshot but I think this may be my next move..

I cancel my question. This seems to be a specific error only happening when I authenticate using my NTLM AD auth server.

When using LDAP AD or Radius instead it works fine, and also when I changed NTLM auth server to use another AD domain controller it worked ok, and when I changed back to my original AD Domain Controller it also suddenly works, so this may be a Kerberos ticket (caching) issue or something like that.

FYI

We found the exact reason for the problem in our environment.

On the AD Domain controllers, there is also installed a password synchronization SW from SUN. This reacts on all passwordchanges, also those done by machine-objects, not only people-objects. So, when the Juniper box changes/refreshes its AD password, it actually sets it to blank, before setting the updated one. The password-sync SW does not handle this null-value and crashes. This again, makes the Domain Controller go into a faulty status, which again, causes the "server had an internal error" when logging into the SSL VPN.

We have to wait for this password sync software to be upgraded to handle this blank value, to get rid of this problem in our environment.

Don't know if this helps anyone else though. Pretty peculiar root-cause this one.

Folks,

We get the "internal" error every "now and then" while trying to authenticate to an SA 6000 running 6.2R3.1 using a client certificate.

It is currently very much annoying us, there is no explanation to be found in the logging, anywhere, plus the behaviour is simply not reproducable.

It comes in phases, sometimes it works for a while, and sometimes it doesn't work for a while, then later on, suddenly, it works again. It is driving us insane :-(

We've played with various settings regarding client certificate authentication, disabled/enabled CRL checking, (automatically, manually, etc.), we've played with role mappings based on certificate attributes, etc., but we are unable to find any consistent behaviour other than that the SA 6000 is functioning very inconsistently in this context (apart from that it's a great device).

Any help is much appreciated!

Thanks.

I got the same error after changed the AD authentication server. All users can login without any problem, but only users with expired passwords will show this error. Checked the 'password never expire' setting for such users and they can login again. Do you have any clue? Thanks a lot.

Can you try disabling kerberos as an option on your AD/NT server instance and allow NTLMv1 and/or NTLM v2?

If that works, delete the IVE computer object on the DC and change the computer object name on the IVE server instance so that the association is created again