Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos
Accepted Solution

Nested AD groups - Cross domain

[ Edited ]

Hey Guys, 

 

I work in an environment that has 3 AD domains. We have one AD in our extranet, and two in our LAN. I'm wanting to have all authentication from our IVE's hitting the extranet AD's and have cross domain nested groups to the other domains. At the moment I have server profiles for each of the 3 AD's - from a security/simplicity point of view I'd like to get rid of this and use just the one.

 

I have created a LDAP server profile for the extranet AD. I have created a group on that AD and it contains a external group on another domain. I have placed a user in the nested group, but authentication to that user isn't working.

 

Has anyone got this sorta setup (cross domain nested groups) working? Any tips? When using standalond groups/users on the same auth server it works fine. It's just the nesting which doesn't seem to be working.

 

I have configured the 'Determining group membership' section and everything seems to be in order there.

 

Any help well appreciated!

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Nested AD groups - Cross domain

I don't think this will work. If all the trusts are in place, it might work with the AD/NT server type or the LDAP server type when using the global catalog. The problem, though, is that the AD/NT server type doesn't do nested groups; and the LDAP server type, which supports nested groups, doesn't support cross domain as you have to list the base DN for searching.
Trusted Contributor
Posts: 446
Registered: ‎05-05-2008
0 Kudos

Re: Nested AD groups - Cross domain

I haven't done this in quite a while, but if I remember, you have to enabl it at the auth server level (a check box), and then require DOMAIN\account  on the login page.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos

Re: Nested AD groups - Cross domain

[ Edited ]

Still not having any joy with this. 

 

stine: How do you mean you need to enable it at the auth server level?.

 

I have attached my setup. I have tried all sorts of combinations of Filters, Member Atttributes, and Query Attributes. No luck.

 

I have blanked out the DC values (sensitive!) but the rest is 'as is'.

 

Within this AD I have a Group 'AD1'. In that is group 'AD2' which exists on the second domain. I have created a user realm which looks for user 'X' in AD1. With the nesting I assume the AD1 will check it's group for user 'X', see it has a nested group and look there elsewhere. I have used an AD tool which runs the query and confirms that the user exists within AD1 by virtue of being in nested group AD2.

 

The thing with the Base DN is that its completely different on both the AD's. How do you write a base DN which will work for both AD1 and AD2?

 

Man Indifferent

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Nested AD groups - Cross domain


Stewart wrote:

Still not having any joy with this. 

 

stine: How do you mean you need to enable it at the auth server level?.

 

I have attached my setup. I have tried all sorts of combinations of Filters, Member Atttributes, and Query Attributes. No luck.

 

I have blanked out the DC values (sensitive!) but the rest is 'as is'.

 

Within this AD I have a Group 'AD1'. In that is group 'AD2' which exists on the second domain. I have created a user realm which looks for user 'X' in AD1. With the nesting I assume the AD1 will check it's group for user 'X', see it has a nested group and look there elsewhere. I have used an AD tool which runs the query and confirms that the user exists within AD1 by virtue of being in nested group AD2.

 

The thing with the Base DN is that its completely different on both the AD's. How do you write a base DN which will work for both AD1 and AD2?

 

Man Indifferent


This does not work with the LDAP server instance. As you pointed out you can't have a base DN that is different and search through both sides. Unfortunately, AD/NT doesn't do nested group lookups (as you found).

 

For this type of access, you need multiple realms: one for each domain you are searching.

Highlighted
Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos

Re: Nested AD groups - Cross domain

[ Edited ]

It seems rather weird this doens't work. Is this from "the horses mouth" so to speak or is this just your experience? The thing is, the SA shouldn't need to search the other DN's as its the AD which has this nested group/recursion/transient trust?

 

If the little tool I run is able to determine that I exist in a nested group, why can't the SA!?

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Nested AD groups - Cross domain

This is from the horse's mouth, so to speak (I'm part of the JTAC team).

 

The IVE needs to search the other DNs in order to receive the groups from those locations and check the user membership on those groups. It is true that the AD server holds that information; but the IVE needs to access that information to verify user details. If it can't access it the verification will fail. Using LDP.exe, or another LDAP browser, are you able to pull the groups from both domains for a user?

 

In the AD/NT server type, nested group lookups are not supported; you have to specify each level of the group as a potential membership (which defeats the purpose nesting).

 

In the LDAP server type, nested group lookups are supported; but you cannot cross the domain trust (as you noted previously there is no way to specify more than one DN to look).

 

One thing you can _try_ that may, or may not, work is to use the LDAP server type on the global catalog port (3268 or 3269 over SSL) and set the base DN as the top level. I have heard of some limitations being overcome using this traversal; but not consistently.

Contributor
Posts: 145
Registered: ‎05-04-2009
0 Kudos

Re: Nested AD groups - Cross domain

Universal groups in AD is a must.

Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos

Re: Nested AD groups - Cross domain

[ Edited ]

cheers guys. Fer more questions! Smiley Very Happy

 

zanyterp: In terms of having multiple realms for each of the AD's, am I correct in assuming the best way of presenting this would be either a single URL with multiple user-selectable realms, or multiple URLS with each one pointing to a realm?

 

RexPGP: Have you been able to get this working? I can get the AD guys to change a group to Universal if you think it will make a difference?

Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos

Re: Nested AD groups - Cross domain

Just a thought, are there any other options by using some sort of intermediary device which is able to do the lookups across multiple domains. ie Radius?

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Nested AD groups - Cross domain

Hi Stewart,

 

Yes, either of those options would work for giving the user the display of which domain/realm they will be logging in against. I have seen both used (together and separately); whichever you think would work best for your users.

Contributor
Posts: 50
Registered: ‎07-27-2010
0 Kudos

Re: Nested AD groups - Cross domain

Hello

Ok...this problem is marked as solved, but I had a similar problem with users in multiple domains, so maybe my solution can help you in any way.

Here we have a classic domain setup with a root domain and some sub-domains.

domain.com
aaa.domain.com
bbb.domain.com

..and so on.

The users of the SA can be from any of these domains, which means the LDAP lookup had to start at the root domain.

dc=domain,dc=com

Because of the size and number of the domains, the LDAP lookup took inacceptable long (40+ seconds).
An AD/NT lookup ran into timeout after 2 minutes or so. So I had to search for another solution.

My Idea then was to build some kind of dynamic BASE DN to let the LDAP lookup start directly within the users domain.


To achieve this, I configured the Reply-message attribute on the Radius server (we use Radius for the first authentication) to reply with the (sub)domain name of the user who logs in.


JohnDoe Auth-Type := Local, Cleartext-Password := "password"
Reply-Message:="aaa"


In the LDAP Auth Server settings I then used the system variable "userAttr.<auth-attr> to dynamically build the correct
BASEDN for the lookup.

Looks like this

dc=<userAttr@Authservername.Reply-Message>,dc=domain,dc=com

When a users logs in, this resolves to ....

dc=aaa,dc=domain,dc=com


With this Base DN, the LDAP Server of the root domain directly replies with a redirect to the domain controller of the users domain,  which is then queried for the user attributes.


Maybe my solution can help in any way.


Marc







Trusted Contributor
Posts: 446
Registered: ‎05-05-2008
0 Kudos

Re: Nested AD groups - Cross domain

That is genius.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Contributor
Posts: 33
Registered: ‎02-11-2011
0 Kudos

Re: Nested AD groups - Cross domain

[ Edited ]

Agreed! Great information. We have a radius server so hopefully we can achieve the same thing. Our domains do not share a commmon sufix or prefix, but I don't suppose that shouldn't matter too much. I guess I could just provide the whole base DN in the reply: 

 

JohnDoe Auth-Type := Local,

Cleartext-Password := "password"

Reply-Message:="dc=aaa,dc=domain,dc=com"

 

Then use Base DN under auth server as "<userAttr@Authservername.Reply-Message>"

 

Hopefully this will work too.