AD authentication on Sonicwall NSA
I am rather new to the SonicWALL family coming over from Cisco and so far I like the SonicWALL but I am having a few problems with LDAP reading my AD.
I am running on an NSA 240 with firmware 5.6 installed
When I first started playing with LDAP I was able to get Auto-Configure to work and pull my tree structure but I can't get that working any more.
When ever I test LDAP using the built in test I get
Test Status:
Credentials not valid at LDAP server
Message from LDAP:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
and in the log
12/10/2010 10:25:23.928 Error Remote Authentication Bind to LDAP server failed Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I have tried many different accounts using domain admins and normal users but so far no luck. I have also tried every possible way of denoting the user name (domain\user, domain/user, user@domain, cn=user, dc=domain, display name, username...)
If anyone has a good guide for getting this working that would be great.
AD is on a Windows 2003 R2 server
SonicWALL NSA 240 with 5.6 installed
I am not using TLS right now because this is a test environment
I am running on an NSA 240 with firmware 5.6 installed
When I first started playing with LDAP I was able to get Auto-Configure to work and pull my tree structure but I can't get that working any more.
When ever I test LDAP using the built in test I get
Test Status:
Credentials not valid at LDAP server
Message from LDAP:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
and in the log
12/10/2010 10:25:23.928 Error Remote Authentication Bind to LDAP server failed Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I have tried many different accounts using domain admins and normal users but so far no luck. I have also tried every possible way of denoting the user name (domain\user, domain/user, user@domain, cn=user, dc=domain, display name, username...)
If anyone has a good guide for getting this working that would be great.
AD is on a Windows 2003 R2 server
SonicWALL NSA 240 with 5.6 installed
I am not using TLS right now because this is a test environment
ASKER
Nope I still can not get it to work
No matter what I do it just seems to not want to authenticate and read my AD through LDAP, I have tried V2 and V3
see picture
Is there a way for me to export my config so I can post part of it here? I knew how to do that on Cisco but still learning SonicWALL.
eb
Untitled.gif
No matter what I do it just seems to not want to authenticate and read my AD through LDAP, I have tried V2 and V3
see picture
Is there a way for me to export my config so I can post part of it here? I knew how to do that on Cisco but still learning SonicWALL.
eb
Untitled.gif
to export the settings, go to System > Diagnostics. TSR (Tech Support Report) is what you want to download. It will save the settings to a txt file. you don't need to check any of the boxes. don't post the whole thing. copy out what you want.
try this first...found it in a sonicwall forums post.
turns out that it was a browser cache issue. we called sonicwall tech support, they verified everything we did was correct and then went on to clear our browser cache and that fixed our "credentials not valid" error.
a little weird, but it worked and now we're up and running without the CA
try this first...found it in a sonicwall forums post.
turns out that it was a browser cache issue. we called sonicwall tech support, they verified everything we did was correct and then went on to clear our browser cache and that fixed our "credentials not valid" error.
a little weird, but it worked and now we're up and running without the CA
or this:
Problem is solved, my FQ domain name is equinoxnv.lan. But I had to enter the netbios name like you said... just 'equinoxnv' instead of 'equinoxnv.lan'.
Thanks for the advice!
Problem is solved, my FQ domain name is equinoxnv.lan. But I had to enter the netbios name like you said... just 'equinoxnv' instead of 'equinoxnv.lan'.
Thanks for the advice!
ASKER
Nope neither worked
Here is the LDAP config from the NSA
Here is the LDAP config from the NSA
LDAP
LDAP server name/address: 192.168.251.7
LDAP server port: 389
LDAP server login name: John Doe
LDAP server login tree: DOMAIN/
LDAP timeout: 10 seconds
LDAP protocol version: 2
LDAP referrals On
Use TLS/SSL: No
Negotiate TLS: No
TLS certificate: None
Require server cert: No
LDAP Schema Settings...
User object class: user
User login name attribute: sAMAccountName
Qualified login attribute: (null)
User group attribute: memberOf
Framed IP addr attribute: msRADIUSFramedIPAddress
User group object class: group
Group member attribute: member
Member attribute type: DN
LDAP Directory Settings...
User domain: DOMAIN
Users tree: DOMAIN/
User groups tree: DOMAIN/
OK, so are you using the administrator account under the first tab in the LDAP configurations? if so, try something for me. under the first tab, click the second radio button (i don't recall the name, but it's next to anonymous) and type Administrator with an uppercase 'A'. type your password. click the third tab and make sure the first box has the proper domain...if your domain is domain.local, make sure you type domain.local. make sure the second box has the patch to the user you typed under the first tab.
then, click the second tab and click the read from server button...keep the default in the window appears and click OK...what happens then.
then, click the second tab and click the read from server button...keep the default in the window appears and click OK...what happens then.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nope no good, still does not work...
I have a support case open with SonicWALL but since it is priority 4 I am waiting to here back from them.
eb
I have a support case open with SonicWALL but since it is priority 4 I am waiting to here back from them.
eb
ASKER
Have a good night and thanks for the help
eb
eb
ASKER
OK it is working...
Silly me, all my testing had locked out the account I was using to test with...unlocked the account and it works
Thanks again for the help, I think my problem was I did not have the path to the user set right and that was causing failed logins which in turn locked out the account. Then when I got the settings right the account was locked out.
eb
Silly me, all my testing had locked out the account I was using to test with...unlocked the account and it works
Thanks again for the help, I think my problem was I did not have the path to the user set right and that was causing failed logins which in turn locked out the account. Then when I got the settings right the account was locked out.
eb
ASKER
Thanks again, this is why I like this site if you don't know it someone out there does...
glad i could help. your locked account is certainly something to look at in the troubleshooting process. i don't know if i would have ever have thought of that. thanks for the points!
ASKER
Well it was more luck. I went to log into my server to check the event logs for any clues, when I logged in I got the account locked message.
eb
eb
>GRIN<!
Just as a note. I ran into the same issue. To resolve this I used, "Give bind distinguished name" and typed in the UPN of my service account(i.e.: ldapaccess@domain.local). In my case i used port 389 and no TLS.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8201
When you're ready for TLS:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
I've found 2003 is easier than 2008 for LDAP. Since I don't know what you've setup thus far, review the settings based on the KB. Post back if you have any questions.