Solved

SonicWALL SSL-VPN 4000 - Active directory integration

Posted on 2013-12-24
6
819 Views
Last Modified: 2014-04-02
I recently started my current job, and last week the primary domain controller died.  Little did we know that it was not replicating correctly.  In the end,  I had to seize the roles on the secondary, and out backup softwares {AD backups} do not backup GPO objects, so they are all lost.

Our SSL-VPN device was authenticating users just fine through an active directory connection, but since the recovery,  It keeps saying users are "not a member of the permitted AD group(s).   The work around is to remove the security groups that are allowed, which lets everyone use it.. I want to secure this back up.  Here is a copy of the log.  {newest entry on top}

2013-12-24 13:29:29 Warning Authentication 10.1.1.254 192.168.1.6 jthompson User login failed

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Login failed - Not a member of permitted AD group(s)  


2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Matched 0/2 groups (0.00%)

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson No match for AD group: ssl-vpn-auth

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson No match for AD group: SSL-NetExtender-HQ

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Considering SSL-VPN group: VPN

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Found existing SSL-VPN group: amervend

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Error in binding to LDAP server: Local error (82)

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Kerberos login successful

2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Attempting AD/Kerberos login (principal: 'jthompson@AMERVEND.AFVUSA.COM', realm: 'amervend.afvusa.com')
 
2013-12-24 13:29:29 Debug Authentication 10.1.1.254 192.168.1.6 jthompson Login attempt: domain: 'VPN'


Also,  if I go to Users --> Local Groups --> configure group --> AD Groups tab --> configure and enter a domain name and password,  it get the same error as above.
"Error in binding to LDAP server: Local error (82)"
0
Comment
Question by:Madlife6
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
SSL VPN uses a simple AD account to validate the AD users if you integrated AD logon for VPN users. The AD account doesnt need any administrative privileges. Here "jthompson" is the AD account that was configured when integrating with AD.

To reconfigure it, you need to go to "Users -> Settings -> select "LDAP+Local" on "Authentication method for login" and click Configure"

As all configurations were already there, under the Login username in Setting tab, enter users full name as the Login username. And the password for the user. This must match the AD.

Go to Test tab, and enter the details and do a test, Dont enter fullname here, rather the login name. that should work now.
0
 

Author Comment

by:Madlife6
Comment Utility
Maybe I should have Clarified,  this is the SonicWALL SSL-VPN Appliance.  there is No users-> Settings option.  If I go into portal -> domain,  the authentication is set as "Active Directory"

The error log looks to authenticate the users just fine,  but can't determine the group


I compared it without SonicWALL Firewall settings, which does LDAP + Local Authentication for the content filter bypass.  This authenticates users in the group without issue.
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Could you follow This Link and check page 142.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Accepted Solution

by:
Madlife6 earned 0 total points
Comment Utility
Sorry for the delay.  I was out sick and then sent to a remote site for a week and a half.   I got this up and working.  It appears to be an issue with our PDC.  I rebuilt a 2nd domain controller,  got all the Active directory parts sync'ing good with the PDC, and when i pointed the SSL-VPN 4000 to this,  it worked just fine.

We have plans in the upcoming months to migrate everything to 2008, and in the process, get rid of the troublesome server.
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Good that the issue is fixed. Well done.
0
 

Author Closing Comment

by:Madlife6
Comment Utility
Because the problem was an anomololy inside our PDC that no one would have figured out on their own.  All of their suggestions and help combined did lead me to determine this though.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now