Juniper IVE 6.4 and AD 2008

octavmarius · ‎06-22-2009

hello,

we have setup ive 6.4 to authentificate users from AD ( windows 2008; AD functional level 2003 ) to allow them access to a terminal server.

We have noticed on the domain controller one error group every day of event id 5722 and 5805:

Log Name:      System
Source:        NETLOGON
Date:          6/21/2009 10:59:28 PM
Event ID:      5722
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      pdc.domain_name.org
Description:
The session setup from the computer SA6500 failed to authenticate. The name(s) of the account(s) referenced in the security database is SA6500$. The following error occurred:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5722</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-21T19:59:28.000Z" />
    <EventRecordID>15783</EventRecordID>
    <Channel>System</Channel>
    <Computer>pdc.domain_name.org</Computer>
    <Security />
</System>
<EventData>
    <Data>SA6500</Data>
    <Data>SA6500$</Data>
    <Data>%%1265</Data>
    <Binary>880300C0</Binary>
</EventData>
</Event>

Log Name:      System
Source:        NETLOGON
Date:          6/21/2009 11:15:00 PM
Event ID:      5805
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      pdc.domain_name.org
Description:
The session setup from the computer SA6500 failed to authenticate. The following error occurred:
Access is denied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5805</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-21T20:15:00.000Z" />
    <EventRecordID>15784</EventRecordID>
    <Channel>System</Channel>
    <Computer>pdc.domain_name.org</Computer>
    <Security />
</System>
<EventData>
    <Data>SA6500-1</Data>
    <Data>%%5</Data>
    <Binary>220000C0</Binary>
</EventData>
</Event>

and another suspicious error in the domain controler is :

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/22/2009 10:17:47 AM
Event ID:      4724
Task Category: User Account Management
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     pdc.domain_name.org
Description:
An attempt was made to reset an account's password.

Subject:
    Security ID:        FRANCIZE\Administrator
    Account Name:        Administrator
    Account Domain:        FRANCIZE
    Logon ID:        0x87685d2

Target Account:
    Security ID:        FRANCIZE\SA6500$
    Account Name:
    Account Domain:        FRANCIZE
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4724</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2009-06-22T07:17:47.343Z" />
    <EventRecordID>970762</EventRecordID>
    <Correlation />
    <Execution ProcessID="572" ThreadID="3624" />
    <Channel>Security</Channel>
    <Computer>pdc.domain_name.org</Computer>
    <Security />
</System>
<EventData>
    <Data Name="TargetUserName">
    </Data>
    <Data Name="TargetDomainName">FRANCIZE</Data>
    <Data Name="TargetSid">S-1-5-21-1446972541-2540134376-2783138496-1136</Data>
    <Data Name="SubjectUserSid">S-1-5-21-1446972541-2540134376-2783138496-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">FRANCIZE</Data>
    <Data Name="SubjectLogonId">0x87685d2</Data>
</EventData>
</Event>

anyone has any iddea why this my appear ?

thanks.

FastEddie · ‎09-28-2009

Hi,

I've got the same issue here...is your issue solved now ? I'm using 2003 mode with version 6.4.

Thx,

FastEddie

JeffClark · ‎09-30-2009

We too are experiencing the same error messages when trying to join a 2500 (running 6.5R1) to our Windows 2008 domain.

I've gone through every KB article I've found along with all the forums posts about this and still I can't get this to work? Yet if I specify our last 2003 DC and test the configuration it works quite happily until a user tries to sign in and then we have a "No Roles" error message.

Anyone managed to solve this problem or find a work around?

Jeff

Message Edited by JeffClark on 09-30-2009 02:52 AM

muttbarker · ‎01-29-2008

Hey Jeff - I have a Windows 2008 server that I use for authentication and for authorization. When you see the "No Roles" error message in the SA log are you seeing it occur after seeing a message in regards to Primary Authentication? If so is the authentication successful or not?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

JeffClark · ‎09-30-2009

Managed to sort the problem of adding a Windows 2008 DC as an Authentication Server on the IVE.

After trying many different things I noticed that the Windows errors (5722 etc) along with the KDC/Kerberos errors I stated the Admin user name I was using as DOMAINusername instead of DOMAIN\username - no slash inbetween the domain name and username.

Changed this to username@domain.com and all worked perfectly!

Now just to configure the box up and deploy it out to users....

TRK-NKA · ‎06-17-2008

One workaround with Microsoft Active Directory is to use LDAP instead of the Windows mode Auth in the IVE/IC.

Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, JCNIA-SSL

crouchie · ‎10-15-2009

Is there any update on this?? We're getting exactly the same errors as the original poster - we upgraded our backup/DR SA2000 to 6.5R1 specifically to get 64bit WSAM support. Around the same time we also upgraded our DC's to Windows 2008 R2, which is 64bit only; since then, we can't get the SA2000 to authenticate against them. The domain functional level is still 2003, but we've applied the 2008 R2 schema updates.

It makes no difference if we check/uncheck the "server is a 2008 DC" box, whether we specify the admin username as "user", "domain\user" or "user@domain" - setting the two domain controllers to point at our Windows 2003 R2 DC's fixes the authentication problem, but as the 2003 DC's are the other side of a WAN link, it's not exactly desirable (especially as the whole point of the backup site is that it can/will function in the event of the primary site being lost!!).

Can anyone confirm/deny/hint at whether this is an acknowledged issue and whether it will be addressed in 6.5R2?? We can leave things as they are "for now", but I need some kinda finite time-frame to feedback to the "powers that be"......

I don't want to use LDAP auth - as someone else suggested - as that brings with it a myriad of other issues (none of which I'm gonna bore you with here!!).

I've been "researching" this issue for over a week - I've read half the internet in the process I think - but it seems like there are a few other people in the same boat......let's hope that someone from Juniper is watching and can enlighten us

Thanks for listening!

Crouchie.

Bevill_Edge · ‎05-27-2010

We run two businesses: one on the sa2500 v6.5r4 and the other is SA4000. I 'm not receiving any of the errors you have noted on this site. Moreover, I have never seen these errors on my devices.

I run exclusively Windows 2008R2 64-bit and Exchange 2010. I use the Active Directory server type, but when I upgraded to windows 2008, I had to renitialize (for lack of a better word) the auth server for my corporate domains. Both times, I had to blow away the auth server for AD completely and readd it after the 2008 DC was installed.

On other thing to note is the capability in to specify the auth server is a 2008 server. Then I used Kerberos and not LDAP, secured, and off ot the races, no worries. I don't know the root cause, but causing the SA box to forget the old 2003 environment worked just fine.. I even OWA running through the SA box for 2010 and it's great. Just remember for 2003 clients running on Exchange 2010, you have to enable encryption on the client profile in the advanced tab to make it all work. Now we are OWA, Net Connect, exchnage, and RDP capable on the 2500.....below is my operating system.

Current version:

6.5R4 (build 15551)

I hope thsi helps at least one of you.

Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008

Re: Juniper IVE 6.4 and AD 2008