SSL VPN
Reply
Visitor
Posts: 2
Registered: ‎09-24-2008
0

SA2500 with AD : Error Update Users

[ Edited ]

Hello,

 

I have a SA2500 and a active directory server 2003. I have a error when the SA2500 downloading users count. My AD is good because my firewall can connect it. Users are downloading...

 

For configure SA2500 i use this page : http://www.juniperforum.com/index.php/topic,5170.0.html

Only part : 1. Here the configuration of Active Directory Authentication Server on IVE.

 

Test configuration say : "Configuration successful. No errors detected."

If Kerberos is alone, i have a error :

 

Error while joining domain XXXXXX. Possible causes:
- The specified administrator credentials do not properly authenticate.
- The specified domain or domain controller may not be valid.

 

If NTLM v2 is alone => it's ok.

But I have a error when i want download users count.

 

 

 

 

 

I want to use Kerberos, and when i do "test configuration" my SA2500 send a packet at my AD for authentification :

 

SA2500 to AD - KRB5 : AS - REQ

AD to SA2500 - KRB5 : AS - REP

SA2500 to AD - KRB5 : TGS - REQ

AD to SA2500 - KRB5 : TGS - REP

 

it's ok... after

 

SA2500 to AD - KRB5 : AS - REQ

AD to SA2500 - KRB5 : KRB Error : KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

 

IVE is registred in AD :

Mydomain\Computers\IVEname

 

And i approve for delegation "computers IVE"

 

 

 

 

Thanks for help.

Guilhem 

 

 

P.S: I read RFC4120 & 6.2-IVEAdminGuide.pdf

 

 

 

 

 

 

 

Message Edited by Guilhem on 09-24-2008 05:15 AM
Message Edited by Guilhem on 09-24-2008 05:18 AM
Visitor
Posts: 2
Registered: ‎09-24-2008
0

Re: SA2500 with AD : Error Update Users

Nobody ?
New User
Posts: 1
Registered: ‎12-17-2009
0

Re: SA2500 with AD : Error Update Users

I am not sure your AD and SSL box is taking same time from you NTP management.Smiley Indifferent

 

Check your NTP setting on SSL box.

 

 

Regards,

Sandeep Lad

Highlighted
Juniper Employee
Juniper Employee
Posts: 17
Registered: ‎02-19-2009
0

Re: SA2500 with AD : Error Update Users

Take a TCP dump on the SA internal port while doing a test configuration using only kerberos - if you see errors related to clock skew on kerberos packets (UDP 88) , there is a time sync issue between SA and AD server.

 

They have to be within 300 seconds, hopefully you can get as close to each other - best using NTP.

 

Thanks.

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.