Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 7207 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 2008 R2 - SSO mit Active Directory

JohTraub
Hallo,

Infos zum Aufbau:
- DomänenController ist ein Windows 2008 R2 Server
- Astaro Web Gateway 2000 ist mit Filterfunktion im gleichen Netzwerk
- 20 Clients mit Domänenanbindung und Windows XP

Auf dem Gateway ist under "Benutzer -> Authentifizierung -> Server" der DomänenController eingerichtet. Servertest und Benutzerabfrage funktionieren ohne Probleme.

Eine Registerkarte weiter "Single Sign-On" schaut es genauso gut aus. Verbindung zur Domäne kann richtig hergestellt werden.

Unsere Benutzer werden auch alle sauber aus dem Active Directory ausgelesen und auf dem Gateway angelegt.

Der Proxy auf dem Gateway ist aktiviert und auf Single-Sign-On eingestellt, die Gruppe der AD-User beim Modus SSO hinzugefügt.

Leider funktioniert am Client jetzt das Single-Sing-On nicht. Wir bekommen die Fehlermeldung Access Denied. Die gleiche Konstellation in Verbindung mit einem Windows 2003 Server als DC funktioniert ohne Probleme.

Weiß jemand woran es liegt?

Gruß
JohTraub


This thread was automatically locked due to age.
  • 0 in reply to ionee
    Active directory version 2008 R2 and domain functional level 2008 R2. With this combination and the ASG release 8.103, I'm not able to Join the domain.


    ==> /var/log/fallback.log 
  • 0 in reply to stkfor
    i'm currently running 2008 R2 AD in 2008 Mode with  ASG 8.102 without problems. gonna upgrade to 8.103 this weekend and will post here if i encounter the same problem.
  • 0
    Hi ionee,
    What are exactly the functional levels of your forest and domain?
    Thank You.

    Active Directory Domain and Forest Functional Levels | Mark Parris
  • 0 in reply to stkfor
    i got both running in "Windows Server 2008" - i have not yet upgraded to 2008 R2 Levels.
  • 0 in reply to ionee
    i have here execly the same problem. / Ich habe hier genau das gleiche Problem mit dem 2003er Server.

    the astaro read/sync every user from the 2003, the test logins work and the astaro is joined the domain. but if i probe to make a login via vpn pptp (or another authentification required service) i got the following errors in the log:

    die Astaro liest und syncronisiert alle User aus dem AD, alle Tests funktonieren und die Astaro ist Member in der Domain. Aber trotzdem funktioniert keine Authentifizierung der Domain User. 

    2011:08:08-11:31:51 firewall aua[10802]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:31:51 firewall aua[10802]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="mschwarz" caller="pptp" reason="DENIED"
    2011:08:08-11:32:18 firewall aua[10862]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:32:19 firewall aua[10862]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="mschwarz" caller="pptp" reason="DENIED"
    2011:08:08-11:33:25 firewall aua[10936]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:33:26 firewall aua[10936]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:35:55 firewall aua[11163]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:35:55 firewall aua[11163]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:37:06 firewall aua[11253]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:37:06 firewall aua[11253]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:43:37 firewall aua[11503]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:43:37 firewall aua[11503]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:44:21 firewall aua[11573]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:44:21 firewall aua[11573]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:47:45 firewall aua[11914]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:47:45 firewall aua[11914]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:35:55 firewall aua[11163]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:35:55 firewall aua[11163]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:37:06 firewall aua[11253]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:37:06 firewall aua[11253]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:43:37 firewall aua[11503]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:43:37 firewall aua[11503]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:44:21 firewall aua[11573]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:44:21 firewall aua[11573]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:47:45 firewall aua[11914]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:47:45 firewall aua[11914]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:35:55 firewall aua[11163]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:35:55 firewall aua[11163]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:37:06 firewall aua[11253]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:37:06 firewall aua[11253]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="administrator" caller="pptp" reason="DENIED"
    2011:08:08-11:43:37 firewall aua[11503]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:43:37 firewall aua[11503]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:44:21 firewall aua[11573]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:44:21 firewall aua[11573]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:47:45 firewall aua[11914]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:47:45 firewall aua[11914]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"
    2011:08:08-11:47:45 firewall aua[11914]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="abiringer" caller="pptp" reason="DENIED"
    2011:08:08-11:56:15 firewall aua[12479]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"
    2011:08:08-11:56:15 firewall aua[12479]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test request: m:adirectory, f:none, u:alex76, ip:0.0.0.0"
    2011:08:08-11:56:15 firewall aua[12479]: id="3006" severity="info" sys="System" sub="auth" name="Testing method adirectory"
    2011:08:08-11:56:15 firewall aua[12479]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:56:16 firewall aua[12479]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test successfull"
    2011:08:08-11:57:14 firewall aua[12511]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"
    2011:08:08-11:57:14 firewall aua[12511]: id="3006" severity="info" sys="System" sub="auth" name="Bind test request: adirectory"
    2011:08:08-11:57:15 firewall aua[12511]: id="3006" severity="info" sys="System" sub="auth" name="Bind test successfull. Method: adirectory"
    2011:08:08-11:58:25 firewall aua[12553]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.1.5 (adirectory)"
    2011:08:08-11:58:25 firewall aua[12553]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="0.0.0.0" user="alex76" caller="pptp" reason="DENIED"


    i use 8.103 in my case. ich verwende die Version 8.103.

    did anyone have a idea? Hat hier jemand eine Idee?
  • 0
    Alex, Thanks for asking this question with good details.  I think you have a different problem.  On the 'Servers' tab of 'Users >> Authentication', move the RADIUS server to a position above the Active Directory server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    i don't use a radius server for authentification or is this needed? i have a adirectory access, so it must be possible to authentificate the users with this link. 

    i find the problem, who can read is clearly beneficial in:

    on pptp tag:
    ,,Please select the authentication method to use. RADIUS can only be used when a RADIUS server has been configured in Users->Authentication->RADIUS. When using Local authentication, please also select Users and groups that should be able to use PPTP remote access. Important: PPTP only supports Local and RADIUS authentication types. Users that are authenticated against other methods will not work."


    kind regards

    Alex
  • 0
    Thanks for posting that. I'm interested to know if RADIUS works correctly in V8 when it's not in position above your AD server. 

    Cheers - Bob

    Sorry for any short responses!  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner