Author Topic: Auth Server - AD problems - PLEASE HELP! I'M DOWN!  (Read 35826 times)

TheCleaner

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« on: August 24, 2007, 01:51:10 pm »
I have a ticket open with Juniper TAC, but I want to get this fixed so I'm looking to you guys for help too!

Here's the deal:

I upgraded from 5.5r2 to 6.0 today and now nobody can login.  I even downgraded back and still nothing, so I went back again to 6.0 and still down.

Client logs say:
Code: [Select]
7-08-24 14:45:05 - ive - [24.253.236.127] MURPHY\jhall(Murphy Employees)[] - Login failed. Reason: NoRoles
Info AUT24326 2007-08-24 14:45:05 - ive - [24.253.236.127] MURPHY\jhall(Murphy Employees)[] - Primary authentication successful for MURPHY\jhall/Murphy AD from 24.253.236.127

They do have roles assigned...

If I go to the auth servers and test configuration I get:

Code: [Select]
Either the server is not a domain controller of the domain or the Netbios name of the domain is different from the active directory (LDAP) name.
On the Domain Controller I see some strange things like Event 27: 
Code: [Select]
While processing a TGS request for the target server host/ivename.fwmurphy.com, the account IVENAME$@FWMURPHY.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 2.  The accounts available etypes were 23  -133  -128  3  1.
and

Code: [Select]
Computer Account Deleted:
  Target Account Name: ivename$
  Target Domain: MURPHY
  Target Account ID: S-1-5-21-1891193558-681279342-996637233-4988
  Caller User Name: HOST/ivename
  Caller Domain:
  Caller Logon ID: (0x0,0x29798E01)
  Privileges: -

even though ivename$ isn't even the name of the host specified in the auth server advanced settings.

Right now nobody can log in using their AD account information.  I've tried rebooting, I've tried setting up a new auth server, etc.  I'm sure it has SOMETHING to do with the IVE appliance computer account not authenticating to the domain, but cannot find anything that will help me get it to work right.

HELP!!!
JNCIA-FWV
Find me on Experts Exchange as well
<My stuff:  SSG520, 5GT, SSG20's, SA-2000, WXC-250's>

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #1 on: August 25, 2007, 01:45:58 am »
In my scenario, my IVE Machines (SA2000) dont have any AD Computer Account, but it works fine.
I think there is a problem with the role mapping.

I dont know what is TAC, but Juniper SA Appliances have a "Policy Tracing" Functionality. When you turn it on, and test the login of a user, it traces each step of the authentication and role mapping process, so you can easily find out where the error occurs.
Maybe - as workaround - you could chance the role mapping rule to
If Username
is
*
then assign this role
<any>

I also had a "strange" issue, but only with ONE Username which was not mapped right to the proper role.

Maybe you could also do a factory reset of the machine, and then load again the OS Image that worked, before you upgraded to 6.0.

You should also try with different useraccounts, maybe only your testing user account has the problem?

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #2 on: August 25, 2007, 01:47:51 am »
In my scenario, i only need a Useraccount which has the right to seach in Active Directory, but no computer account for the IVE System. I dont know for what the computer account in AD is needed - in my case it works fine though i dont have a computer account for the juniper machines in AD.

Only Domain-Admin-Account is needed, but only if you want Users to be able to change their passowrd via the appliance.

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #3 on: August 25, 2007, 01:48:57 am »
Maybe in your case you could delete the machine account in AD and create a new one?

Infranet

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #4 on: September 03, 2007, 04:41:07 am »
do you use group lookup in role mapping rules?
'No roles' error means: User Auth is successful and user doesn't qualify for any roles.
if you are using role mapping rules with group look up, can you plese modify it to not to use group look up and check whether it works or not.

thanks

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #5 on: September 04, 2007, 02:49:09 am »
If you use in role mapping rule
If username is * then assign this role blah-role
and it works, then the problem is - as manojkreddy said - a rolemapping problem.
maybe your LDAP Authorization does not work properly.
Are the AD-Groups added to the IVE Serverkatalog? Is LDAP Server configured properly?

MR.Sharky

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #6 on: September 04, 2007, 06:26:45 am »
Hi,
Actualy I have same problem. After upgrading to ver 6 - same symptom. But after downgrade to previous version everything comes back perfect. So my sugestion - try downgrade ver. and wait (like me) for patch

Friend  8-)

kmm005

  • Newbie
  • *
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #7 on: September 04, 2007, 09:32:37 pm »
spacyfreak is correct, you have a role mapping problem.
Your realm must specify LDAP (aka AD) as the directory/attribute server.
You could have the Base DN, filter, or the member attribute set incorrectly.
Try accessing the server catalog to see if you can enumerate the groups.  If things are configured properly, you should get a list of all your AD groups when you select the Search in the Server Catalog.
I'd bet if you changed to  - username is  "*"  - in your role mappings that everyone would get in.

kmm005

  • Newbie
  • *
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #8 on: September 04, 2007, 09:34:56 pm »
And don't forget to run a policy trace !
This can give you great info when you are troubleshooting.  Under Maintenance | Troubleshooting | Policy Tracing.
Make sure the Authentication and Role Mapping boxes are checked.  This can often give you a lot of information.

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #9 on: September 04, 2007, 10:47:02 pm »
Yeah, this troubleshooting function POLICY TRACING is one of the best features, that god gave us in this century! Hehe. It shows you exactly what is going wrong.

MR.Sharky

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #10 on: September 05, 2007, 12:44:33 am »
Hey guys
 "the cleaner" talk about upgrade, not about first configuration. Before upgrading it was working, so what the diferents between "before" and "after" , I mean policy and AD binding....?

Regards

kmm005

  • Newbie
  • *
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #11 on: September 05, 2007, 06:14:49 am »
You're right - I'm not suggesting it isn't an issue with the upgrade.  But clearly the problem is with role mapping because he's using group membership to map users to roles.  That's why he sees "Reason: NoRoles" in the IVE log.  A policy trace can give additional information to help in troubleshooting.
The fact that the server is saying the IVE doesn't have a "suitable key for generating a Kerberos ticket" says to me that the authentication server is AD, not LDAP.  We don't know if this is a clustered environment or not.
When you define a computer name on the AD authentication server definition, the IVE joins the domain - which is one reason you need to specify an administrator username/password.  If you're in a cluster, these names must be different because each IVE joins the domain.  Perhaps in this case one IVE account in the cluster is fine, and the other isn't.
This computer account, according to the admin guide, is necessary for the IVE to enumerate groups.  That's why I suggested looking at the server catalog.
I would try to fix this by changing the computer names and making sure the account specified is an admin.  You could roll back to the old version, but if your account is messed up in the domain, it won't work with the earlier version either.
Another thing to try is to specify NTLM v2 instead of Kerberos.
Good Luck!

shaykster

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #12 on: September 12, 2007, 01:40:53 pm »
I have the same issue - when trying to test connectivity on Auth ADNT page it displays that the Netbios name is not the same as LDAP AD name. However adding the groups through server catalog is fine. The moment I use group experessions for role mapping it doesn't authenticate with an error on policy trace saying u'nable to connect to GC.' although logs show that authentication is successful. The moment I put username is * instead of using group membership then all users are authenticated. Here is the error I am getting;

2007/09/11 22:39:13 - IC030HO01 - [0.0.0.0] - domain\engineer(Users)[] - Groups obtained during winbind auth....
2007/09/11 22:39:13 - IC4000 - [0.0.0.0] - domain\engineer(Users)[] - Trying for AD groups ...
2007/09/11 22:39:13 - IC4000 - [0.0.0.0] - domain\engineer(Users)[] - GetUserGroups: Found GC 129.1.1.10, GC Domain DOMAIN
2007/09/11 22:39:13 - IC4000 - [0.0.0.0] - domain\engineer(Users)[] - GetUserGroups: Fails to connect to GC!
2007/09/11 22:39:13 - IC4000 - [0.0.0.0] - domain\engineer(Users)[] - Trying for global,local AD groups from domain DOMAIN...
2007/09/11 22:39:13 - IC4000 - [0.0.0.0] - domain\engineer(Users)[] - There are no groups obtained for the user


I then came across a KB article with the following;

Problem
If a domain has different NetBIOS name and LDAP name then group lookup fails sometimes
 
Solution
When ADNT server catalog is built during the rule formation, group name is attached with the NetBIOS name (in the form of “<Netbios name>/<groupName>”) of the domain to which the group belongs. This is because IVE uses MSRPC calls to get all groups in the domain, at which point it knows the Netbios name. Whereas, group lookup for the logged in user, IVE tries to fetch groups of the user using MSRPC calls and LDAP calls(contacting the Global Catalog). LDAP calls return new LDAP name of the domain which is attached to the group name ( in the form of  “<LDAP domain name>/<group name>”) and sent to role mapping module. This name mismatch domain causes the problem.
Fix: In 5.4, while building server catalog a map of NetBIOS name and new LDAP name for each domain, whose names are different, is stored in the cache. During a group lookup both names are compared.
Workaround in 5.3: Use custom expression to add group names in the rule. For example, once you do search in the server catalog, you would get “<netbios domain name>/<group name>” as entries. Manually add another entry “<LDAP name>/<group name>”.   How to get LDAP name?  This is the first part of the full distinguished name of the domain. If domain is name “XYZ.ABC.COM” then LDAP name is “XYZ”.

Baldrick

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #13 on: September 13, 2007, 06:36:01 pm »
We had same problem after upgrade to 6.0. Eventually rolled back to 5.5 which fixed it. I've got policy traces of the errors and are sending to JTAC.

ahd71

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +1/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #14 on: September 18, 2007, 10:02:02 am »
Hi,

We have the same problem too with 6.0R1.

It seems that it in our case works if the user has the required group as a primary group in AD but otherwise it doesn't work. That is not an acceptable solution so we are still researching this problem.

BR /ahd71

Baldrick

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #15 on: September 18, 2007, 10:13:52 am »
What happens is that V6.0R1 code does not seem to gather the user groups fully via winbind.

[To see this do a policy trace on the user]

V5.5R1
It gets the groups in the old NT style...

Domain01/UserGroup1
Domain01/UserGroup2
Domain01/UserGroup3

& in the newer AD style...
domain/usergroup1
domain/usergroup2
domain/usergroup3

In V6.0R1 it only seems to gather the primary group via the old NT style...

Domain01/UserGroup1

& in the newer AD style...
domain/usergroup1
domain/usergroup2
domain/usergroup3

So if you have role mapping that is based upon membership of usergroup2 & 3 it will not work and error with "No roles found".

However within the SA you can still access the groups in the Domain01/UserGroup1 style when you browse for them creating your role mapping rules.

JTAC now have our Snapshot, TCPdump, Logs files, kitchen sink etc.

Will let you know when I get an answer.

Balders....

ahd71

  • Jr. Member
  • **
  • Posts: 81
  • Karma: +1/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #16 on: September 18, 2007, 10:24:51 am »
Thanks Baldrick,

We also have a newly opened ticket with JTAC, but i'm still trying to upload our kitchen zink ;-)

May I ask for your case number to refer to it in our case as it seems that we have exactly the same problem? You can PM me if you don't want to go public, and of course only if you want to share it.

BR / ahd71

Baldrick

  • Full Member
  • ***
  • Posts: 174
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #17 on: September 18, 2007, 10:33:48 am »
PM sent...

spacyfreak

  • Hero Member
  • *****
  • Posts: 515
  • Karma: +0/-0
    • View Profile
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #18 on: September 18, 2007, 02:01:53 pm »
http://img516.imageshack.us/img516/6906/ldapconfigive54r3oi4.png

I do it with AD for authentication, and additional LDAP Server for Authorization. And it works fine.

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Auth Server - AD problems - PLEASE HELP! I'M DOWN!
« Reply #19 on: September 19, 2007, 02:10:02 am »
hi,

i saw that once to, i think the problem was that my domain was wrong! (like KB article was saying)

i had "company.local" and it needed to be just "company"
other thing i saw that could give problems (but not sure it was this error):

is at the AD server settings:

Kerberos Realm Name
Specify the method to use to get Kerberos Realm Name for AD servers.

=> choose => Use LDAP to get Kerberos realm name

Then everything worked.

GreetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com