WatchGuard 1250x with Active Directory Single Sign-on to Windows 2000 domain

I have a WG 1250x firewall configured for Single Sign On to a Windows 2000 domain controller and its backup (both have the SSO agent installed).
I have a group on the WG and Active Directory called Internet Users that is set up in Policy to access HTTP to the Internet.
I log on a workstation as a user in that group and attempt to access a HTTP website.  I never see the user show up in the Firebox System Manager / Authentication screen.  That screen remains blank.
We even installed the SSO client on the workstation.  Still, the user was not authenticated to the domain on the WatchGuard.  I would appreciate any help on this issue!  Thanks!
DilbertW01Asked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
Sorry but I am not sure why it is not working; may be SSO does not work with win2000.
0
 
dpk_walCommented:
Two things here:
1. Is the active directory authentication working.
2. If 1 is true then is SSO working.

1. We can configure HTTP service as:
Enabled and allowed; from active-directory-group/user; to ANY-or-specific-website
You would need to first authenticate to: http://internal-ip-of-firebox:4100

2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.
The SSO Agent must be installed on a statically addressed computer that is a member of the Windows domain, and uses Windows XP or Windows Vista. You can install it on your domain controller, or on another computer.
Finally you have not specified the machine IP under exception.

Please check and update.

Thank you.
0
 
DilbertW01Author Commented:
Two things here:
1. Is the active directory authentication working.
- My account shows up on the Authentication tab as soon as my workstation logs in with my logon name (SamT).  Even if I log in as a different user, the user's name does not show up in the Authentication tab.  My SamT account still shows up in the Authentication tab at that workstation's IP address.  Therefore, the test user can access the Internet with my SamT credentials and group membership credentials / policies.

2. If 1 is true then is SSO working
- Like I said, SSO does not pick up the new user logged in.  I am also not sure why my workstation authenticates to the domain with my logon.  I don't have any services that I am aware of that would be authenticating to the network.


2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.

Yes, I have checked all the Authentication settings for the Active Directory server IP address, AD LDAP search path, Active Directory group added to AD and on the firewall and the SSO setting point to one of the domain controllers running the SSO 10.2.3 agent.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
dpk_walCommented:
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.
If possible log in from a different machine or reduce the timeout value and then login again.

Please advice if I have missed anything.

Thank you.
0
 
DilbertW01Author Commented:
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.

- The default on the SSO timeout and AD authentication are both 10 minutes.  I reduced them to 2 minutes on each.
- I powered up my workstation.  My SamT name / IP address showed up without even loggging on.  After 5 minutes, it was still there.
- I tried to Log Off User on SamT.  I then tried to log on as the test user account.
- On the next refresh, my SamT account showed up again.  The test account never would show up in the authentication tab.

I tried a different system.  The domain administrator account shows up from that system with its IP address.  Again, when the test user logs in, his name never shows up.

I am beginning to really see why WatchGuard dropped support for Windows 2000.

I appreciate you taking the time on this issue.  Got any other suggestions?
0
 
DilbertW01Author Commented:
That seems to be the general consensus - WatchGuard's Single Sign On does not work with Windows 2000's Active Directory structure.  We are in the process of upgrading to Windows 2003 now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.