Sonicwall SSO Multiple Domains

Good day,

I have been having inconsistent issues with Sonicwall SSO. I have multiple Vlans and hence implementing multiple domains for LDAP User Authentication.

It has been functional and all of a sudden the secondary domains are unable to authenticate. If i isolate their independent domain as the primary, they function. I have My Trust relationships configured and can access via FQDN. I have disable the firewall on each of my Domain Controllers to see if that may be the problem. I have also enabled the probing under the settings menu.

Can someone please guide me as to what may be the problem?

regards,
IBSITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

J SpoorTMECommented:
You would SonicOS 6.5.0.x which introduced Authentication Partitioning.

You create a partition for each Domain with dedicated LDAP Servers and SSO Agents.
You then use the Authentication Partitioning Policies to map Subnets to the right Partition.
0
IBSITAuthor Commented:
SonicOS Enhanced 5.9.1.7-2o NSA3500
0
J SpoorTMECommented:
Unfortunately your 3500 (Gen 5) doesn't support SonicOS 6.5... You will need a Gen 6  (3600) or a Gen 6.5 (2650) for that.

The 3500 has been put in End of Sale in 2013 and will be End of Support 5/19/2018
Not sure if you are planning to replace that product? SonicWall has something called a Secure Upgrade program, where you get discount to swap out your 3500.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

IBSITAuthor Commented:
I am in process of upgrading to the 3600. In the interim do you have any ideas as to what it can be?
0
J SpoorTMECommented:
are you pointing the firewall to the main AD's DNS server?
And does that DNS server have Conditional DNS forwarders configured for the other ADs?

Your setup is highly dependent on DNS forwarders.

e.g. say user1@domainB tries to be authenticated, SSO agent will send domainB\user1 to the firewall, the firewall will try to authtenticate this to domainA's LDAP server, domain LDAP server will send the firewall a refereal message to contact LDAP server at domain
this is normally done via an fqdn, eg adserver.domainb.local
if the firewall can not resolve this this fails.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J SpoorTMECommented:
also make sure the user you use as logon as on the SSO agent service, is a local admin on all the domain pcs
0
J SpoorTMECommented:
addendum, a 2650 (gen 6.5) is almost as fast as a 3600 (gen 6), suggest you buy that instead of the 3600
0
IBSITAuthor Commented:
"are you pointing the firewall to the main AD's DNS server?" Eureka! somehow it was set to Google's DNS.
0
IBSITAuthor Commented:
Thank you very much for helping achieve a positive result. Appreciate it very much,
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.