Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
since ‎10-29-2017
‎10-29-2017
jroberts_
New Contributor

Re: NoRoles when using AD integration

by in Pulse Connect Secure
‎08-31-2012 02:14:PM
‎08-31-2012 02:14:PM
I am using the IP address of the DC(s) I have configured in the SA. The admin account does have the proper permissions. - I have 3 other SAs deployed in other parts of my environment, all are configured for the same type of lookup, all using the same admin account. The SA is able to browse all domain groups and is able to authenticate users, it just appears that it is unable to correlate username to group memebership.   I looked at a TCP dump of my trying to "test configuration" of the auth server. It "looks" like everything is going fine until the SA does a "NetrServerAuthenticate2 request" the DC responds with an unknown error (0xc0000388), then the session si closed by the SA.   I did try to do group membership via LDAP, I haven't had any luck with that yet either. I am not sure if I have my syntax correct in all of the fields required, I am still researching.   thanks, j ... View more

NoRoles when using AD integration

by in Pulse Connect Secure
‎08-30-2012 12:52:PM
‎08-30-2012 12:52:PM
I set up a new gateway, SA2500 running 7.1R11 Auth Server is  AD/Windows NT, 2008 server. -Default settings on this page, 2008 server box is checked, Kerberos, NTLM1 and 2 are both checked. Roles are assigned based on group membership. When creating role mapping, the IVE is able to connect to the domain controller and view all of the domain groups.   When I test the configuration of the auth  server, I get - Error while joining domain DOMAINX. Possible causes: - The specified administrator credentials do not properly authenticate. - The specified domain or domain controller may not be valid. Also, the device's clock must be in sync with the Active Directory server.   I have verified the credentials, the domain controller and domain are valid and the time is sync'd.   When I try to log in to the IVE, I get an error message indicating I do not have permision to log in. When doing policy tracing, I get the following, indicating authentication is working but group membership lookup is failing -   jroberts(DomainX)[] - NTLogin(10.21.1.22, DomainX\jroberts, DomainX, junipervpn, no, , no, 1, 15, vc00000a03a110 Computers)  jroberts(DomainX)[] - Use any auth protcols  jroberts(DomainX)[] - Performing winbind based Authentication...  jroberts(DomainX)[] - Use any auth protcols  jroberts(DomainX)[] - Join to domain DomainX failed (system, 0x00000016): Invalid argument.  jroberts(DomainX)[] - Join to domain DomainX failed (nt, 0xC0000388): NT code 0xc0000388.  jroberts(DomainX)[] - Fetching machine config from ntjoinserver for domain DomainX failure  jroberts(DomainX)[] - Winbind Authentication initialization did not succeed  jroberts(DomainX)[] - Performing Authentication using Kerberos ...  jroberts(DomainX)[] - Trying KDC Server=10.21.1.22, user realm=DomainX.WEBROOT.COM for krb authentication  jroberts(DomainX)[] - Authentication using Kerberos is successful  jroberts(DomainX)[] - NTLogin done.  DomainX\jroberts(DomainX)[] - Authentication successful to auth server "DomainX_AD"  DomainX\jroberts(DomainX)[] - Getting directory information from auth server "DomainX_AD"  DomainX\jroberts(DomainX)[] - GetUserGroups(10.21.1.22, DomainX\jroberts, DomainX, junipervpn, no, , no, 3, 15, vc00000a03a110, Computers, 8)  DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_IT  DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_DCO  DomainX\jroberts(DomainX)[] - Rule Groups defined for the Realm are - DomainX/VPNSSL_Corporate  DomainX\jroberts(DomainX)[] - Use any auth protcols  DomainX\jroberts(DomainX)[] - Fetching machine config from ntjoinserver for domain DomainX failure  DomainX\jroberts(DomainX)[] - Winbind Authentication initialization did not succeed  DomainX\jroberts(DomainX)[] - There are no groups obtained for the user **serveral logs snipped here which are probably not relevant** DomainX\jroberts(DomainX)[] - Sign-in rejected. Reason: NoRoles     Troubleshooting - I have verified Kerberos traffic being allowed from IVE to DC I have tried using a different DC in my configuration I have deleted the computer account from AD, deleted the Auth server from the IVE and tried again. I have re-named the "computer name" in the IVE under 'auth servers/server/advanced options' rebooted/restarted services on IVE Both upgraded and downgraded IVE   Anybody have any ideas? Thanks ... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.