Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
ym
Contributor
Posts: 15
Registered: ‎04-02-2008
0 Kudos
Accepted Solution

SA700: Authenticate users by Active Directory, cannot join domain

Hi,

  I am trying to configure the SA700 to authenticate users by the AD in the domain.  I tried to add an authentication server by Authentication > Auth. Servers > Active Directory / Windows NT > New Server.

 

  I entered the details in the "New Active Directory/ Windows NT" page that follows, leaving the "Backup domain controller " field blank and "Allow trusted domains" unchecked. I selected "Use LDAP to get Kerboros realm name".

 

  When I hit the "Test configuration" button, there is a warning message "Either the server is not a domain controller of the domain or the Netbios name of the domain is different from the active directory (LDAP) name."  I am sure the server IP address I entered is the domain controller.  Not very sure what the second part of the error message means.

 

  There is also an error message:

  Error while joining domain [domain name]. Possible causes:

  - The specified administrator credentials do not properly authenticate  (I am sure this is not the case)

  - The specified domain or domain controller may not be valid (I am sure this is not the case, AD machine can ping SA700)

 

  So what else needs to be configured?? or did I not configured correctly??

 

Regards,

ym

Highlighted
Trusted Contributor
Posts: 61
Registered: ‎11-15-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

Hi,

 

the problem could be that you have done this:

 

domain: "test.com"

 

but the domain needs to be "TEST"

 

Hope this helps you.

 

GreetZ,

Frac 

 

 

http://juniper-frac.blogspot.com
Contributor
Posts: 243
Registered: ‎11-26-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

Hi YM,

i also had same problems with auth using AD before. but now i using LDAP auth to get users from my AD. and working fine.

u can using Softerra LDAP Browser software to get LDAP setting on your AD server.

hope can work fine.

 

rgds

=ND= 

Regards,

ND
ym
Contributor
Posts: 15
Registered: ‎04-02-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

Hi Frac, 

  Thanks.  Your reply helped solve my problem.  The users can login now.

 

Hi NDCool,

  I tried the LDAP auth before, but always hit the error of "LDAP server not reachable for server [ip address] at port 389" when I tried to "Save Changes".  "Test Connection" is fine.  I will try to figure out how the Softerra LDAP Browser can help.

 

 

Another question:

I have some users in the AD that do not need to authenticate using a smartcard.  These users login ok when using "Active Directory / Windows NT" for authentication.

 

I have some users in the users that require a smartcard for login.  How should I set up the authentication policy for them then? Tried "Active Directory / Windows NT" but always login fails.

 

Thanks.

Contributor
Posts: 14
Registered: ‎11-14-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

[ Edited ]

What smartcard product are you using? You will need to create a cert authentication server and add it to the authentication realm. In that way the users will need to select manually the login method they want to use, AD or cert.

 

Stijn

Message Edited by stijn on 04-24-2008 08:52 AM
ym
Contributor
Posts: 15
Registered: ‎04-02-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

Hi,

  Actually the user will login into the PC/Laptop using a smartcard and password.  I am trying to configure the SA700 such that the user is able to SSO by clicking on the Network Connect and enter into the VPN without needing to enter password and username anymore. 

 

  Thanks.

Trusted Contributor
Posts: 61
Registered: ‎11-15-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

 hi ym,

 

 No problem.

 

for your other question. just use the smartcard certificate (if it has one) to authenticate to the ssl appliance. (the only thing user will have to do (if you want some security user will need to type password to unlock that certificate)).

 

so just make a new authentication server and attach it to new realm. attach that realm to a new url (so it uses authentication server Certificate).

 

Only thing user need to do is to click on the NC icon to start it (be sure it points to correct URL) 

 

And then it should work.

 

GreetZ,

Frac 

http://juniper-frac.blogspot.com
ym
Contributor
Posts: 15
Registered: ‎04-02-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

hi Frac,

  When I am at Authentication > Signing In > Sign-in Policies > User URLs, there is only 1 entry.  How can I add more entries to try your suggestion?  There is only "Enable", "Disable","Save Changes".  I am expecting a "Add URL" or something similar but there is none.

 

  The most I can do is change the sign-in URL, which is different from adding another sign-in URL.

 

  Do provide instructions to add sign-in URL if possible.  Thanks.

 

Contributor
Posts: 14
Registered: ‎11-14-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

Adding custom URLs is only possible with the advanced license... But there is no advanced license available for the SA700 so you can only have 1 sign in URL
Contributor
Posts: 21
Registered: ‎02-16-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

To join Domain successfully -

 

  • Use a Domainadministator Account or Useraccount with permission to create objects in Active Directory
  • give in the Admin Username without Prefix! (Use Administrator and NOT domain\administrator
  • For the computeraccount name use a name like ivenode1 and NOT a name like ive-node-1
  • When joined the domain, refresh your view of Active Directory (adminpack.msi) to see the computeraccount in Active Directory
  • Between IVE and DC Ports TCP139 and 445 must be reachable
  • The Warning "Either the LDAP Name of the Domaincontroller ...." is just a warning and not an error, so dont care about it
  • When you want to do rolemapping based on groupmembership active directory, use the SEARCH button in IVE Server Catalog to find the groups
  • DONT type in the name of the groups in the IVE Server Catalog, it will not work. When you search for the groups, it needs some minutes, so go and dring a coffee while you wait. Once the AD-Groups are added to the IVE Server Catalogue, the SID is cached (winbind) on IVE and the autorization process goes fast and stable

This Topic drove me insane in da brain, i hope these expiriences help a little bit to make your day.

 

ym
Contributor
Posts: 15
Registered: ‎04-02-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

  I am now trying to use the Cert Server as the mode of authentication, so that the user is able to login to SSL VPN just by double-click the network connect icon.  Encountered the following messages in the user logs:

1) Login failed using auth server Cert server (Certificate Server). Reason: Failed 

2) Primary authentication failed for <user>/Cert server from <external IP address>

 

Some questions:

1) How can I know what is the "User Name Template" when configuring the cert Server? 

2) My LDAP authentication is not set up.  Can it cause the Cert server to have problems?

3) My Active Directory computer only has domain\administrator account (set up by others).  How can I add the SA700 to join the domain?

 

Many thanks.

 

Regards,

ym 

New User
Posts: 4
Registered: ‎04-29-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

I am experiancing the same issue, as far as joining the domain.  When I run the Test Configiration I recieve no errors yet in Users and Computers I do not see the ive device nor can I add Domain Groups.
Contributor
Posts: 21
Registered: ‎02-16-2008
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

[ Edited ]

Well, Party-People,

 

some posts ago in this thread i told you exactly what to do to get the IVE as memberserver into your active directory.

So simply do it and everything should be right.

 

When u use domain\Administrator it wont work.

So ask the Active Directory - Stuff to create a Domainuser with permission to create objects in a special OU in Active Directory (lets call the OU "VPN Users"), and let them give you the credentials of this special useraccount so you can do your job..

 

When u get this running (according to my howto..) you wont need any LDAP. Winbind will do all the job of authenticating and autorizing users for you - also users from trusted domains, if needed.

 

Or watch this screenshot-howto, this works fine ...

http://www.juniperforum.com/index.php/topic,5170.0.html

Message Edited by dusannovakovic on 04-30-2008 10:10 AM
Contributor
Posts: 59
Registered: ‎11-05-2007
0 Kudos

Re: SA700: Authenticate users by Active Directory, cannot join domain

dusannovakovic, your link to to your graphic was great, we had been running fine for years and just swapped to mag2600's in a cluster, imported the config from our SA running the same code base and i recieved the errors specified in this thread, very odd since the setting work fine in our production unit.  Anyhow, went through and changed AD server names to just IP, removed the dashes from the computer names, and also left it with just kerberos and presto, everything worked.  Odd but oh well.  As for the yellow warning about server is either not a domain controller...... i still get that, but i hav been getting that since we started using the SSL way back from the 6.0 code base.... not sure why it pops up, chalk it up to something that development should either remove or clarify to whats causing the issue.

 

thanks!

Mike