?
Solved

WatchGuard 1250x with Active Directory Single Sign-on to Windows 2000 domain

Posted on 2009-02-11
6
Medium Priority
?
1,205 Views
Last Modified: 2012-05-06
I have a WG 1250x firewall configured for Single Sign On to a Windows 2000 domain controller and its backup (both have the SSO agent installed).
I have a group on the WG and Active Directory called Internet Users that is set up in Policy to access HTTP to the Internet.
I log on a workstation as a user in that group and attempt to access a HTTP website.  I never see the user show up in the Firebox System Manager / Authentication screen.  That screen remains blank.
We even installed the SSO client on the workstation.  Still, the user was not authenticated to the domain on the WatchGuard.  I would appreciate any help on this issue!  Thanks!
0
Comment
Question by:DilbertW01
  • 3
  • 3
6 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 23671989
Two things here:
1. Is the active directory authentication working.
2. If 1 is true then is SSO working.

1. We can configure HTTP service as:
Enabled and allowed; from active-directory-group/user; to ANY-or-specific-website
You would need to first authenticate to: http://internal-ip-of-firebox:4100

2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.
The SSO Agent must be installed on a statically addressed computer that is a member of the Windows domain, and uses Windows XP or Windows Vista. You can install it on your domain controller, or on another computer.
Finally you have not specified the machine IP under exception.

Please check and update.

Thank you.
0
 

Author Comment

by:DilbertW01
ID: 23688537
Two things here:
1. Is the active directory authentication working.
- My account shows up on the Authentication tab as soon as my workstation logs in with my logon name (SamT).  Even if I log in as a different user, the user's name does not show up in the Authentication tab.  My SamT account still shows up in the Authentication tab at that workstation's IP address.  Therefore, the test user can access the Internet with my SamT credentials and group membership credentials / policies.

2. If 1 is true then is SSO working
- Like I said, SSO does not pick up the new user logged in.  I am also not sure why my workstation authenticates to the domain with my logon.  I don't have any services that I am aware of that would be authenticating to the network.


2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.

Yes, I have checked all the Authentication settings for the Active Directory server IP address, AD LDAP search path, Active Directory group added to AD and on the firewall and the SSO setting point to one of the domain controllers running the SSO 10.2.3 agent.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 23692784
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.
If possible log in from a different machine or reduce the timeout value and then login again.

Please advice if I have missed anything.

Thank you.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DilbertW01
ID: 23693241
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.

- The default on the SSO timeout and AD authentication are both 10 minutes.  I reduced them to 2 minutes on each.
- I powered up my workstation.  My SamT name / IP address showed up without even loggging on.  After 5 minutes, it was still there.
- I tried to Log Off User on SamT.  I then tried to log on as the test user account.
- On the next refresh, my SamT account showed up again.  The test account never would show up in the authentication tab.

I tried a different system.  The domain administrator account shows up from that system with its IP address.  Again, when the test user logs in, his name never shows up.

I am beginning to really see why WatchGuard dropped support for Windows 2000.

I appreciate you taking the time on this issue.  Got any other suggestions?
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1500 total points
ID: 23694126
Sorry but I am not sure why it is not working; may be SSO does not work with win2000.
0
 

Author Closing Comment

by:DilbertW01
ID: 31545913
That seems to be the general consensus - WatchGuard's Single Sign On does not work with Windows 2000's Active Directory structure.  We are in the process of upgrading to Windows 2003 now.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question