• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

active directory authentication UTM

currently testing an Astaro security appliance and hit a snag

in test lab everything works as expetced but initail testing on production domain is not as promising

essentially its as if something is blocking the AD authentication side of things


as mentioned on a newly built domain it joins and authenticates.

on live it says its joined but the doesnt actuall work

what type of things might be preventing this from working

astaro is a UTM linux based appliance  you connect by giving it a bind user e.g  cn=administrator,cn=users,dc=domain,dc-com
after this you are able to assign web browsing policys by (ad) group

what may be happerning, did have some trouble with rights  (protected groups inherritence etc)  might be part of it?

everything pings and resolves
any policys that may stop non windows authenticating?
Windows 2003 AD
0
mhamer
Asked:
mhamer
  • 3
  • 2
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
Hi!

There are at least three group policy settings defined in Default Domain Controllers Policy which can affect communication between domain controllers and non-Micorosoft operating systems.

To configure first setting correctly you would have to find out which form of authentication does your applilance use. LM, NTLMv1, NTLMv2 or Kerberos?

Configure Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level to use "Send LM & NTLM responses". This is the least secure setting.

After that you should disable the following setting: Microsoft network server: Digitally sign communications (always) and Domain controller: LDAP server signing requirements.

The following KB article might help you to troubleshoot your issue:
"Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments"
http://support.microsoft.com/kb/823659

HTH

Toni
0
 
mhamerAuthor Commented:
thank you all set correctly per your comments still no joy
0
 
Toni UranjekConsultant/TrainerCommented:
Unfortunately I'm not familiar with this device so I won't be much of assistance, I would recommend that you contact their support directly, maybe they've handled similar situatuions in the past.

Or you can run "gpresult /z > gpo.txt" on one of your domain controllers in lab environment and one in your domain and compare results under computer configuration, user right settings, maybe you will spot the difference.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
mhamerAuthor Commented:
compaing the policys pointed out a few other issues not a fix as still bust but it gets further :-)
0
 
Toni UranjekConsultant/TrainerCommented:
This is the first time I will say thanks for a C grade, but unfortunately I could not offer any better sugestion.

However, you could one more thing. There is one particular policy that affects only domain controllers. Default domain controllers policy, disable its link in your domain. Back it up with GPMC in both domains. Create new GPO in your domain, link it to the "Domain Controllers" and import settings from backup from test environment.  If it doesn't work you can still enable link from original DDCP, and delete the imported GPO.
0
 
EverettWCommented:
Just some ideas

You could setup a group policy to point users to the proxy.  Downside will not make firefox, opera etc go to the proxy.  

Maybe make the router send all http traffic to the proxy.  
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now