We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

WatchGuard 1250x with Active Directory Single Sign-on to Windows 2000 domain

DilbertW01
DilbertW01 asked
on
Medium Priority
1,238 Views
Last Modified: 2012-05-06
I have a WG 1250x firewall configured for Single Sign On to a Windows 2000 domain controller and its backup (both have the SSO agent installed).
I have a group on the WG and Active Directory called Internet Users that is set up in Policy to access HTTP to the Internet.
I log on a workstation as a user in that group and attempt to access a HTTP website.  I never see the user show up in the Firebox System Manager / Authentication screen.  That screen remains blank.
We even installed the SSO client on the workstation.  Still, the user was not authenticated to the domain on the WatchGuard.  I would appreciate any help on this issue!  Thanks!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Two things here:
1. Is the active directory authentication working.
2. If 1 is true then is SSO working.

1. We can configure HTTP service as:
Enabled and allowed; from active-directory-group/user; to ANY-or-specific-website
You would need to first authenticate to: http://internal-ip-of-firebox:4100

2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.
The SSO Agent must be installed on a statically addressed computer that is a member of the Windows domain, and uses Windows XP or Windows Vista. You can install it on your domain controller, or on another computer.
Finally you have not specified the machine IP under exception.

Please check and update.

Thank you.

Author

Commented:
Two things here:
1. Is the active directory authentication working.
- My account shows up on the Authentication tab as soon as my workstation logs in with my logon name (SamT).  Even if I log in as a different user, the user's name does not show up in the Authentication tab.  My SamT account still shows up in the Authentication tab at that workstation's IP address.  Therefore, the test user can access the Internet with my SamT credentials and group membership credentials / policies.

2. If 1 is true then is SSO working
- Like I said, SSO does not pick up the new user logged in.  I am also not sure why my workstation authenticates to the domain with my logon.  I don't have any services that I am aware of that would be authenticating to the network.


2. Have you enabled SSO in Policy Manager->Setup->Authentication->Authentication Setting; Single Sign-On.

Yes, I have checked all the Authentication settings for the Active Directory server IP address, AD LDAP search path, Active Directory group added to AD and on the firewall and the SSO setting point to one of the domain controllers running the SSO 10.2.3 agent.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.
If possible log in from a different machine or reduce the timeout value and then login again.

Please advice if I have missed anything.

Thank you.

Author

Commented:
Are you logging in from the same machine with different user name; there is a timeout value for the users; and once you get authenticated from a machine WG maps the IP address for that machine and keep the value till timout is reached.

- The default on the SSO timeout and AD authentication are both 10 minutes.  I reduced them to 2 minutes on each.
- I powered up my workstation.  My SamT name / IP address showed up without even loggging on.  After 5 minutes, it was still there.
- I tried to Log Off User on SamT.  I then tried to log on as the test user account.
- On the next refresh, my SamT account showed up again.  The test account never would show up in the authentication tab.

I tried a different system.  The domain administrator account shows up from that system with its IP address.  Again, when the test user logs in, his name never shows up.

I am beginning to really see why WatchGuard dropped support for Windows 2000.

I appreciate you taking the time on this issue.  Got any other suggestions?
CERTIFIED EXPERT
Top Expert 2007
Commented:
Sorry but I am not sure why it is not working; may be SSO does not work with win2000.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
That seems to be the general consensus - WatchGuard's Single Sign On does not work with Windows 2000's Active Directory structure.  We are in the process of upgrading to Windows 2003 now.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.