12-08-2009 03:38 PM
I am able to see all the groups in the User Realm section of the SA2000. So I choose a group and assign a roll to that group. The problem is when a user tries to log into the SSL VPN web page they get denied access. The IVE log says that the user authenticated successfully but no role exists for this user. I clearly have this group assigned to a roll. If I define the user individually they are able to log in.
So something about this is not seeing the group. The user I'm testing has this group defined as it's primary group. I'm out of ideas and have verified everything I've found on the KB and this forum without any luck. All it says is "no role defined". Here is a paste of the log, with "x" replacing sensitive information. Again, I can choose this group in the Realms section of the IVE, so it's obviously seeing LDAP/AD correctly but it's not seeing the user is a part of that group.
nfo AUT23457 2009-12-07 15:09:01 - ive - [xx.231.143.130] Root::CORP.xxxx.COM\brian.xxx(Engineers) - Login failed. Reason: NoRoles Info AUT24326 2009-12-07 15:09:01 - ive - [xx.231.143.130] Root::CORP.THEPLATFORM.COM\brian.hanson(TP Engineers) - Primary authentication successful for CORP.xxx.COM\brian.xxx/xxxx Domain Controllers from xx.231.143.130
12-08-2009 06:30 PM
Is the active Directory Server defined as an LDAP instance on the SA? If yes then role mapping based on group lookup will fail for any Primary group checks (other group checks should work fine). This issue wil happen between any LDAP based device querying AD (not restricted to the SA). More info @ http://support.microsoft.com/kb/275523
Hope it helps!
12-09-2009 08:42 AM
The group was created specifically for use with the SA2000 deployment, so it is not the primary group for the users who are placed into it. We did try to make the group primary for my account (thinking Samba issues) but that did not work so it has been changed back. We are not running Server 2000, but server 2003, which the link provided says is resolved in the way 2003 does forrests.
Right now this box is a demo and, for some reason, there are issues giving me access to JTAC and much of the knowledge base (I keep getting access denied) and the SE assigned has been super busy so I'm kind of stuck....
12-09-2009 08:44 AM
Oh. Yes I have Kerberos, and both LDAP options checked under auth servers. If I remove the Kerberos option I can still authenticate but still it doesn't map me to the role defined. If I remove the ldap check boxes I am unable to authenticate at all. Setting this up with AD was a process in itself... the "test" button still gives errors. But I am authenticating if I specify an individual user, and it will role map that user. All that works fine. Just this group thing does not.
12-09-2009 09:06 AM - edited 12-09-2009 09:06 AM
we had a similar problem after taking the service account used to bind out of the domain admins group. Trouble was, it worked fine until we rebooted the server, so it was about a month after making the change that things broke. took us most of the afternoon to work that one out.
12-09-2009 10:51 AM
I have removed the user from domain users group and made the group used on the IVE the primary for my account (I'm the test case) as per the microsoft article linked and I still get this issue. Are there any debugging things I can do on the IVE to see where it fails??
12-09-2009 12:56 PM
I can't tell from the posts so far if you have turned on policy tracing. Under troubleshooting - enable it for the user / realm in question for pre-auth and auth. It may well shed some light on the problem.
12-09-2009 02:09 PM
try creating a new AD auth server and see if it works? also turning on the polciy trace for that user will also show you more details. I am having a similar issue where some users are not able to get mapped to some ad groups so juniper pulls the list from the ad but does not do a complete pull i am running 6.4r4
12-09-2009 02:20 PM
I went through this earlier this year..
Also make sure that if you delete/re-create your authentication server, that that you then re-import your grouplist and update the role mapping rules with the new groups. I found that when deleting / re-creating the AD/LDAP server, while everything looked correct, the groups used in the role mapping were not the same as the groups retrieved from the AD/LDAP server. what I mean is that if i import group TESTGROUP from my AD server, and use it in a role-mapping rule, and then i delete that AD server and re-create it, the TESTGROUP in the role mapping rule is no longer the same as the TESTGROUP on the AD server. If you look at the html source, you'll see that each role name is represented by a string like "1239386546.145724.0" which will be different if you re-create your AD and re-import the grouplist.
12-09-2009 03:30 PM
I just opened a JTAC case for what sounds like the same issue. JTAC suggested deleting the group from the group list and then searching and adding it back. Their suspicion was that the SID in AD didn't match the SID that the IVE had stored for the group. I'm not sure how that would've happened here, however after doing what they suggested the issue is resolved -- users are now successfully mapped to the role.
12-09-2009 04:59 PM
That is the same troubleshooting step they gave me. As well as to create a test user, place them in the group and then add the group back into the role mapping part. I get the same thing.
I enabled policy tracing under troubleshooting. The IVE fails Kerberos authentication but passes LDAP authentication. Default domains are correct. But here's where the real issue is:
"no match on rule 'groups = 'MYDOMAIN/SG_Datacenter ops"
It simply is not seeing ANY user in that group, even though the group was listed, and chosen, by the list provided when you click "search" in the groups portion of Realm setup.
It's clear the IVE is not playing well with LDAP, the only thing that would cause this is it not seeing the LDAP group attribute.
I do have a JTAC case now from the SE who's supporting this demo. So we'll see.
12-09-2009 05:04 PM
I don't understand this. If there was a problem with LDAP authentication of the IVE to AD/DC itself, then the user would fail authentication before role mapping. Every time it's tried my user passes AD authentication and fails a login due to "no role".
I will try removing all AD configurations on the IVE, removing the account in AD and then adding the IVE back in. I am not using an administrator account for IVE authentication to the AD domain, but the same account used to join non PDC's to the domain. Which works fine (I used that same acct to add my linux box to the domain with SAMBA so I know it works for browsing AD objects).
12-10-2009 04:56 AM
That sounds so much better than the way I had described it.
One other thing, If you first configured your domain controller as an LDAP authentication server, and tested it, and then deleted the LDAP auth server, and then added it as an AD authentication server, you have to open the advanced settings at the bottom of the screen and change the hostname that the SSLVPN uses to join the domain, or you have to completely delete the the SSLVPN from the domain before adding it back as type AD. (personally, i never had any luck deleting it from the domain, so i kept having to change the computername in the auth server settings on the SSLVPN)
12-10-2009 04:58 AM
One other note is that the IVE doesnt pull a list of groups, you have to do that manually prior to first use.