I'm at a loss, and I can't find a forum post that offers a solution that works for me.
I have two SG230 appliances, configured for HA, running firmware 9.312-8. I have an AD bind user configured and it tests successfully. I can test user auth successfully. I have WebAdmin configured to authenticate based on AD group membership and it works. I'm trying to change the User Portal from local auth to AD auth so my hotspot voucher creators can use AD accounts to access the User Portal.
I've created a group in AD called "Hotspot Admins" and created a matching group "AD Hotspot Admins" on the UTM with dynamic membership pointing to the AD group (same process I used for configuring the "Firewall Admins" group for WebAdmin auth). My non-admin AD user account is included in this group.
In the User Portal configuration I include Any in the Allowed networks, Allow all users is unchecked, and my AD Hotspot Admins UTM group is included in the Allowed users list as well as a local test account.
Single Sign-On in Authentication Services is not configured.
I do not want to dynamically create AD or local user accounts when someone tries to log in, so I left Create users automatically unchecked. I want to explicitly control who can log in by using AD group membership with existing AD accounts.
The local test account always works and my AD account always fails to authenticate in the User Portal. My AD security logs show successful authentication for both the bind account as well as my AD account with which I'm testing. Each attempt generates three aua messages in the UTM log: "Child is running too long. Terminating child", "Trying (adirectory)", and then an "Authentication failed" warning.
If I check Create users automatically I get two additional messages in the aua log--updateUserObject: a different object exists and updateUserObject: no user object created.
Does anyone have any ideas?
This thread was automatically locked due to age.
