SSL VPN
Reply
Contributor
bcampbell3
Posts: 23
Registered: ‎07-17-2008
0

Network Connect Auth/NTLM Issue

I've been developing more features of our Juniper appliances the past few days.  We have not been using Network Connect at all.  Yesterday, I set up NC and have it working.  Today, I discovered a problem and was hoping someone could help.

First... our config:
1x SA 2000 (this is the test device I'm currently using.)
2x SA 6000 in active/passive (where the finalized config will end up.)
auth - Active Directory Win Server 2008 (running in 2008 native mode.)
code - 6.4R2

I have made some blanket allows to open our network when connecting through Network Connect.  It is restricted to just several admins by username.

What is going on...

User logs into IVE (or launches network connect client) and gets assigned an IP address from the specified pool.  That works fine.  Our internal websites work, fileshares work, applications requiring authentication and internal server access work.  What doesn't work are things like SharePoint and Citrix that, I assume, are using NTLM for auth.  Since the test devices are non-domain devices, the local accounts do not match domain credentials like they would inside the network.

What I have done is attempted to setup NTLM SSO Settings.  I created a new Label and assigned our domain name, with Variable set for Credential Type.  I set the Username to <USER> and Variable Password to <PASSWORD>.  The idea is that since our users will need domain credentials to gain access through Network Connect, we will pass along that in the form of NTLM in place of the credentials on the machine.  This does not seem to be working.

Under Kerberos/NTLM/BasicAuth I set the Action to NTLMSSO and applied it to all internal resources.  I've also tried using the "Fallback" to NTLM V1.

Anyone have any suggestions?  I can provide clarification if needed.
Thanks!


Ben Campbell
Production: Clustered A/P SA 6000 - 6.5R2
Development: SA 2000 - 6.5R2
Trusted Contributor
Mrkool
Posts: 252
Registered: ‎02-28-2008
0

Re: Network Connect Auth/NTLM Issue

i may be completely off here but i think what you are trying to do is not going to work. The NTLM login in the auth server is only for resources that are defined in and are accessed via the juniper login / bookmark page. You are doing a full tunnel and than opening a new browser and trying to access your sharepoint server but at that point your sharepoint server is not going to ask Juniper for credentials it will use what the local machine has and will pass those along.
SA-6500 (7.3R3) Production
MAG 4610 (7.4) Lab
Contributor
bcampbell3
Posts: 23
Registered: ‎07-17-2008
0

Re: Network Connect Auth/NTLM Issue

I was worried that this might be the case.  I guess I just didn't know for certain.  Just for the heck of it... Assume Network Connect is connected on a non-domain machine.  I suppose I could still open sites from links in the IVE bookmark page... Citrix nfuse, sharepoint link.  I think I could make it work for just those things that require NTLM.  The rest all I really want is the split tunnel (which is working) and the DNS client then server.  It works well and I think it will be popular among the user community.

 

I was incorrect in my post with the fileshares though.  Those aren't working as normal.  Any idea how I can make those work?  I was thinking of a logon script to do some mapping.  I'm just not sure how far I can take the scripts.  I'm most concerned with what we call M drive mapping (staff shares.)

 

I'm basically trying to idiot proof this thing.  It's not easy!  I was hoping for a bit more out of Network Connect, really.  Thanks for the reply.


Ben Campbell
Production: Clustered A/P SA 6000 - 6.5R2
Development: SA 2000 - 6.5R2
Trusted Contributor
SonicBoom
Posts: 195
Registered: ‎07-06-2009
0

Re: Network Connect Auth/NTLM Issue

make sure you build your resource profile as Microsoft Sharepoint, base url, might be something like http://portal, with NTLM authentication, then go to resource policies, web, general and set your Domain, <username> <password> options and make sure that one is selected in the policy, this is how i have mine set and it works fine with sharepoint.
Power On
http://vology.com
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.