This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP adirectory error

Hi,

My enviroment:

SG125 firmware 9.355-1

AD PDC Windows 2012 R2 at AWS

DNS Forwarders Google Pool 8.8.8.8 8.8.4.4 and a static DNS route mydomain.com to AD PDC server. I added an adirectory server for my domain and a user like Sopho´s docs called utm@mydomain.com. I also tried with mine and same result.

At logs I can see DENIED

2016:05:01-13:20:18 pasarela aua[10209]: id="3006" severity="info" sys="System" sub="auth" name="Bind test failed. Method: adirectory, error: DENIED

2016:05:01-13:20:18 pasarela aua[10209]: Connection to ldap://172.30.0.103:389 failed"

2016:05:01-13:20:57 pasarela aua[10296]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"

2016:05:01-13:20:57 pasarela aua[10296]: id="3006" severity="info" sys="System" sub="auth" name="Bind test request: adirectory"

2016:05:01-13:21:07 pasarela aua[10296]: id="3006" severity="info" sys="System" sub="auth" name="Bind test failed. Method: adirectory, error: DENIED

2016:05:01-13:21:07 pasarela aua[10296]: Connection to ldap://172.30.0.103:389 failed"

And addition to this,support->tools->DNS query I checked mydomain.com and no result was shown!!!. Why? 

Any idea?

Regards

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

Edgar, is the time on your PDC the same as on the UTM? Have you followed DNS best practice?

Have you tried Workaround: Joining a AD SSO domain fails for a UTM on W2K12 domain controller?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 9 years ago in reply to BAlfson

HI Balfon,

Yes I followwed those documents and same result.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to Edgar_Quintana

Is NTLMv1 active on the2012 server?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 9 years ago in reply to BAlfson

Hi,

How to check this?

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Edgar_Quintana over 9 years ago in reply to Edgar_Quintana

Hi,

Send NTLMv2 response only.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to Edgar_Quintana

I think you also need to enable NTLMv1 on the Windows Server.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

0 Edgar_Quintana over 9 years ago in reply to BAlfson

Hi,

Changed by registry to 1 decimal value 1 and same error

Value: LMCompatibilityLevel
   Value Type: REG_DWORD - Number
   Valid Range: 0-5
   Default: 0
   Description: This parameter specifies the type of authentication to be
   used.

   Level 0 - Send LM response and NTLM response; never use NTLMv2 session
             security
   Level 1 - Use NTLMv2 session security if negotiated
   Level 2 - Send NTLM authentication only
   Level 3 - Send NTLMv2 authentication  only
   Level 4 - DC refuses LM authentication
   Level 5 - DC refuses LM and NTLM authentication (accepts only NTLMv2)

Reply

0 Edgar_Quintana over 9 years ago in reply to BAlfson

Hi,

Changed by registry to 1 decimal value 1 and same error

Value: LMCompatibilityLevel
   Value Type: REG_DWORD - Number
   Valid Range: 0-5
   Default: 0
   Description: This parameter specifies the type of authentication to be
   used.

   Level 0 - Send LM response and NTLM response; never use NTLMv2 session
             security
   Level 1 - Use NTLMv2 session security if negotiated
   Level 2 - Send NTLM authentication only
   Level 3 - Send NTLMv2 authentication  only
   Level 4 - DC refuses LM authentication
   Level 5 - DC refuses LM and NTLM authentication (accepts only NTLMv2)

Children

No Data