active directory authentication UTM

currently testing an Astaro security appliance and hit a snag

in test lab everything works as expetced but initail testing on production domain is not as promising

essentially its as if something is blocking the AD authentication side of things


as mentioned on a newly built domain it joins and authenticates.

on live it says its joined but the doesnt actuall work

what type of things might be preventing this from working

astaro is a UTM linux based appliance  you connect by giving it a bind user e.g  cn=administrator,cn=users,dc=domain,dc-com
after this you are able to assign web browsing policys by (ad) group

what may be happerning, did have some trouble with rights  (protected groups inherritence etc)  might be part of it?

everything pings and resolves
any policys that may stop non windows authenticating?
Windows 2003 AD
mhamerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

There are at least three group policy settings defined in Default Domain Controllers Policy which can affect communication between domain controllers and non-Micorosoft operating systems.

To configure first setting correctly you would have to find out which form of authentication does your applilance use. LM, NTLMv1, NTLMv2 or Kerberos?

Configure Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level to use "Send LM & NTLM responses". This is the least secure setting.

After that you should disable the following setting: Microsoft network server: Digitally sign communications (always) and Domain controller: LDAP server signing requirements.

The following KB article might help you to troubleshoot your issue:
"Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments"
http://support.microsoft.com/kb/823659

HTH

Toni
0
mhamerAuthor Commented:
thank you all set correctly per your comments still no joy
0
Toni UranjekConsultant/TrainerCommented:
Unfortunately I'm not familiar with this device so I won't be much of assistance, I would recommend that you contact their support directly, maybe they've handled similar situatuions in the past.

Or you can run "gpresult /z > gpo.txt" on one of your domain controllers in lab environment and one in your domain and compare results under computer configuration, user right settings, maybe you will spot the difference.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

mhamerAuthor Commented:
compaing the policys pointed out a few other issues not a fix as still bust but it gets further :-)
0
Toni UranjekConsultant/TrainerCommented:
This is the first time I will say thanks for a C grade, but unfortunately I could not offer any better sugestion.

However, you could one more thing. There is one particular policy that affects only domain controllers. Default domain controllers policy, disable its link in your domain. Back it up with GPMC in both domains. Create new GPO in your domain, link it to the "Domain Controllers" and import settings from backup from test environment.  If it doesn't work you can still enable link from original DDCP, and delete the imported GPO.
0
EverettWCommented:
Just some ideas

You could setup a group policy to point users to the proxy.  Downside will not make firefox, opera etc go to the proxy.  

Maybe make the router send all http traffic to the proxy.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.