dmanisit
asked on
Citrix CAG LDAP Authentication problem
Greetings,
I have configured my CAG for LDAP auth. The authentication works from my machine ONLY and can Authenticate anyone that is on the Domain is the USERS group, but if you try to login from any other machine it does not work. Any ideas as to why?
I have configured my CAG for LDAP auth. The authentication works from my machine ONLY and can Authenticate anyone that is on the Domain is the USERS group, but if you try to login from any other machine it does not work. Any ideas as to why?
I just want to be a bit clearer,
External users (via Internet ) can connect to the CAG?
or
Internal users access the external address from within and connect?
External users (via Internet ) can connect to the CAG?
or
Internal users access the external address from within and connect?
ASKER
Internal users access the External IP from the LAN and can auth. Kinda crazy?
I thought I posted this a bit earlier..oops.
Does your CAG have an internal DNS entry?
Does your CAG have an internal DNS entry?
ASKER
Yes it does
DNS.JPG
DNS.JPG
Sorry, I should have been more clearer. what I meant was on your dns servers does your CAG have a dns entry?
i.e. CAGfqdn.domain = x.x.x.x <--internal network address
i.e. CAGfqdn.domain = x.x.x.x <--internal network address
ASKER
Yes sir, they do. The user can get to the signin page no problems, its just authenticating from the internal IP address on LDAP???
Alright, so It works from one computer only regardless of who logs in from that computer.
when you try to login from another machine, does it return an error (initial CAG screen)?
Thsi is a very kooky one, i'll give you that.
when you try to login from another machine, does it return an error (initial CAG screen)?
Thsi is a very kooky one, i'll give you that.
ASKER
It denys Authentication from any other computer on the internal IP ONLY. No other errors at all. Here is a picture of my LDAP config, username blacked out to protect the innocent:-)
CAG-LDAP-Blacked.JPG
CAG-LDAP-Blacked.JPG
Yeah, you got a funky one here.
In, the CAG, under Network, ACL's, do you have anything there?
Also, on the CAG go to, Access Gateway, Policies,Authentication; open the ldap policy you have and in the expression box do you have anything else besides "ns_true"?
It's pretty strange that one machine internally can auth to the internal cag address and not others, but at the same time any internal machine can authenticate to external address.
Sorry I have not been more help. i would think there would be an error popping up somewhere to let you know why.
In, the CAG, under Network, ACL's, do you have anything there?
Also, on the CAG go to, Access Gateway, Policies,Authentication; open the ldap policy you have and in the expression box do you have anything else besides "ns_true"?
It's pretty strange that one machine internally can auth to the internal cag address and not others, but at the same time any internal machine can authenticate to external address.
Sorry I have not been more help. i would think there would be an error popping up somewhere to let you know why.
ASKER
Sorry for the delay. No I have nothing listed under ACL. And under Policies and Auth the LDAP policy there is nothing else listed there except ns_true.
And I agree it is very strange. I am not really that familiar with the CAG setup or error logs, so Im sure there may be a log somewhere, and no problem that you havnt been that much help, I just appreciate any help and you are making look at things again. So thank you
And I agree it is very strange. I am not really that familiar with the CAG setup or error logs, so Im sure there may be a log somewhere, and no problem that you havnt been that much help, I just appreciate any help and you are making look at things again. So thank you
Can you tell me which access gateway you have (i.e Enterprise) and which firmware your up to?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No Problem.
But we do use the CAG to service both external and internal connections.
But we do use the CAG to service both external and internal connections.
ASKER
I have the CAG7000 Enterprise NS9.0: Build 71.3, Date: Oct 12 2009, 17:40:14
Seems good. You may want to close the post if your ok with the way your working now.
ASKER
Well if you have any ideas on the internal I would be grateful
ok, lets give it a shot.
Is he CAG is currently in a DMZ?
Is he CAG is currently in a DMZ?
ASKER
yes sir
Do you have something similar to this?
External IP is 113.1.1.1 and resolves to mydomain.com; is natted to 10.1.1.1 internally
Domain DNS
Internal IP is 10.1.1.1 and resolves to mydomain.com
External IP is 113.1.1.1 and resolves to mydomain.com; is natted to 10.1.1.1 internally
Domain DNS
Internal IP is 10.1.1.1 and resolves to mydomain.com
ASKER