12-08-2009 03:38 PM
I am able to see all the groups in the User Realm section of the SA2000. So I choose a group and assign a roll to that group. The problem is when a user tries to log into the SSL VPN web page they get denied access. The IVE log says that the user authenticated successfully but no role exists for this user. I clearly have this group assigned to a roll. If I define the user individually they are able to log in.
So something about this is not seeing the group. The user I'm testing has this group defined as it's primary group. I'm out of ideas and have verified everything I've found on the KB and this forum without any luck. All it says is "no role defined". Here is a paste of the log, with "x" replacing sensitive information. Again, I can choose this group in the Realms section of the IVE, so it's obviously seeing LDAP/AD correctly but it's not seeing the user is a part of that group.
nfo AUT23457 2009-12-07 15:09:01 - ive - [xx.231.143.130] Root::CORP.xxxx.COM\brian.xxx(Engineers) - Login failed. Reason: NoRoles Info AUT24326 2009-12-07 15:09:01 - ive - [xx.231.143.130] Root::CORP.THEPLATFORM.COM\brian.hanson(TP Engineers) - Primary authentication successful for CORP.xxx.COM\brian.xxx/xxxx Domain Controllers from xx.231.143.130
12-08-2009 06:30 PM
Is the active Directory Server defined as an LDAP instance on the SA? If yes then role mapping based on group lookup will fail for any Primary group checks (other group checks should work fine). This issue wil happen between any LDAP based device querying AD (not restricted to the SA). More info @ http://support.microsoft.com/kb/275523
Hope it helps!
12-09-2009 08:42 AM
The group was created specifically for use with the SA2000 deployment, so it is not the primary group for the users who are placed into it. We did try to make the group primary for my account (thinking Samba issues) but that did not work so it has been changed back. We are not running Server 2000, but server 2003, which the link provided says is resolved in the way 2003 does forrests.
Right now this box is a demo and, for some reason, there are issues giving me access to JTAC and much of the knowledge base (I keep getting access denied) and the SE assigned has been super busy so I'm kind of stuck....
12-09-2009 08:44 AM
Oh. Yes I have Kerberos, and both LDAP options checked under auth servers. If I remove the Kerberos option I can still authenticate but still it doesn't map me to the role defined. If I remove the ldap check boxes I am unable to authenticate at all. Setting this up with AD was a process in itself... the "test" button still gives errors. But I am authenticating if I specify an individual user, and it will role map that user. All that works fine. Just this group thing does not.
12-09-2009 09:06 AM - edited 12-09-2009 09:06 AM
we had a similar problem after taking the service account used to bind out of the domain admins group. Trouble was, it worked fine until we rebooted the server, so it was about a month after making the change that things broke. took us most of the afternoon to work that one out.
12-09-2009 10:51 AM
I have removed the user from domain users group and made the group used on the IVE the primary for my account (I'm the test case) as per the microsoft article linked and I still get this issue. Are there any debugging things I can do on the IVE to see where it fails??
12-09-2009 12:56 PM
I can't tell from the posts so far if you have turned on policy tracing. Under troubleshooting - enable it for the user / realm in question for pre-auth and auth. It may well shed some light on the problem.
12-09-2009 02:09 PM
try creating a new AD auth server and see if it works? also turning on the polciy trace for that user will also show you more details. I am having a similar issue where some users are not able to get mapped to some ad groups so juniper pulls the list from the ad but does not do a complete pull i am running 6.4r4
12-09-2009 02:20 PM
I went through this earlier this year..
Also make sure that if you delete/re-create your authentication server, that that you then re-import your grouplist and update the role mapping rules with the new groups. I found that when deleting / re-creating the AD/LDAP server, while everything looked correct, the groups used in the role mapping were not the same as the groups retrieved from the AD/LDAP server. what I mean is that if i import group TESTGROUP from my AD server, and use it in a role-mapping rule, and then i delete that AD server and re-create it, the TESTGROUP in the role mapping rule is no longer the same as the TESTGROUP on the AD server. If you look at the html source, you'll see that each role name is represented by a string like "1239386546.145724.0" which will be different if you re-create your AD and re-import the grouplist.
12-09-2009 03:30 PM
I just opened a JTAC case for what sounds like the same issue. JTAC suggested deleting the group from the group list and then searching and adding it back. Their suspicion was that the SID in AD didn't match the SID that the IVE had stored for the group. I'm not sure how that would've happened here, however after doing what they suggested the issue is resolved -- users are now successfully mapped to the role.