SSL VPN
Reply
Visitor
Guilhem
Posts: 2
Registered: ‎09-24-2008
0

SA2500 with AD : Error Update Users

[ Edited ]

Hello,

 

I have a SA2500 and a active directory server 2003. I have a error when the SA2500 downloading users count. My AD is good because my firewall can connect it. Users are downloading...

 

For configure SA2500 i use this page : http://www.juniperforum.com/index.php/topic,5170.0.html

Only part : 1. Here the configuration of Active Directory Authentication Server on IVE.

 

Test configuration say : "Configuration successful. No errors detected."

If Kerberos is alone, i have a error :

 

Error while joining domain XXXXXX. Possible causes:
- The specified administrator credentials do not properly authenticate.
- The specified domain or domain controller may not be valid.

 

If NTLM v2 is alone => it's ok.

But I have a error when i want download users count.

 

 

 

 

 

I want to use Kerberos, and when i do "test configuration" my SA2500 send a packet at my AD for authentification :

 

SA2500 to AD - KRB5 : AS - REQ

AD to SA2500 - KRB5 : AS - REP

SA2500 to AD - KRB5 : TGS - REQ

AD to SA2500 - KRB5 : TGS - REP

 

it's ok... after

 

SA2500 to AD - KRB5 : AS - REQ

AD to SA2500 - KRB5 : KRB Error : KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

 

IVE is registred in AD :

Mydomain\Computers\IVEname

 

And i approve for delegation "computers IVE"

 

 

 

 

Thanks for help.

Guilhem 

 

 

P.S: I read RFC4120 & 6.2-IVEAdminGuide.pdf

 

 

 

 

 

 

 

Message Edited by Guilhem on 09-24-2008 05:15 AM
Message Edited by Guilhem on 09-24-2008 05:18 AM
Visitor
Guilhem
Posts: 2
Registered: ‎09-24-2008
0

Re: SA2500 with AD : Error Update Users

Nobody ?
New User
sandeeplad
Posts: 1
Registered: ‎12-17-2009
0

Re: SA2500 with AD : Error Update Users

I am not sure your AD and SSL box is taking same time from you NTP management.:smileyindifferent:

 

Check your NTP setting on SSL box.

 

 

Regards,

Sandeep Lad

Juniper Employee
Juniper Employee
PVP
Posts: 17
Registered: ‎02-19-2009
0

Re: SA2500 with AD : Error Update Users

Take a TCP dump on the SA internal port while doing a test configuration using only kerberos - if you see errors related to clock skew on kerberos packets (UDP 88) , there is a time sync issue between SA and AD server.

 

They have to be within 300 seconds, hopefully you can get as close to each other - best using NTP.

 

Thanks.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.