This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO-AD Not Working - Not seeing the user ID

BurtonComputerServices over 12 years ago

I am working on a ASG220 v8.308 for a client who recently added the web filter license to their unit and I'm having a very hard time getting the SSO-AD filtering working so we can limit by AD groups.  I've gone back and forth with their primary support people (those that sold them the Astaro) and they have given up and said I should contact Astaro/Sophos directly so hopefully these forums will answer my questions (they only have "standard" support).

The first thing I did was made sure under network services -> DNS that the allowed networks as blank and the only forwarded was their internal DNS server.  Then under Definitions and Users -> Authentication Servers -> Servers and added the domain controller.  I then tested using a user on the domain and one not on the domain and the domain user authenticated correctly and listed as in the "authenticated users" group.  I then went to the "Single Sign-On" tab and added the Astaro to the domain (successfully).

Everything looked good up until this point so I we added some groups in Active Directory for different access levels, one being for some users that need eBay access.  In AD we added a group called "Filter-eBay" and added users to it.  Then on the Astaro I went to Definitions and USers -> Users and Groups -> Groups.  I added a new group called "Fitler-eBay", group type Backend, backend Active Directory.  I put in a group filter of "CN=Filter-eBay,CN=Users,DC=domain,DC=local".  I went back to the authentication server -> server tab and tested a user that is in the eBay filter group and one that wasn't and it correctly showed the membership.

I then turned on the web filter and using a user within the "ebay" group (which is setup to allow ebay, paypal, etc) I tried to get to eBay and I received the blocked message.  I turned on the live log for web filtering and I see the issue...there is no "User" being seen:

srcip="10.0.1.63" dstip="66.201.160.87" user="" statuscode="304"

Everything looks correct as per the help file.  What am I missing?  It's not "seeing" the user so therefor the filters are failing which I understand but why isn't it seeing the user and how do I fix this?  Right now I threw a Web Filter Profile at the top of the list called "Temp Access" that's operational mode is "Standard" but authentication is set to "None" so they at least have web access although not as limited as it should be.  If i switch the authentication to Active Directory SSO, which is that I want, they get prompted over and over for a user name and password when I thought it should be as the name implies Single Sign On.  Everyone has a proxy server set in their browsers and we are using the FQDN of the Astaro (which also is in DNS).

-Allan

This thread was automatically locked due to age.

Parents

0 Longman over 12 years ago

In my setup I used in the "Group Filter" the Pre-Windows 2000 naming convention as found on the General Tab of the group in Active Directory. You can try that. I have a couple ad groups using the web filter for quite a while with no issues.
Cancel
Vote Up 0 Vote Down

Cancel
0 BurtonComputerServices over 12 years ago in reply to Longman

Bob - I didn't run through those exact instructions but the ones in the help file within the Astaro itself.  With that said it looks like I did follow the same instructions and yes I did NOT check the boxes to create users automatically (it didn't make sense to do so but I debated it).

The only thing I see that might be missing is I have no Base DN for my authentication server.  If I test the login of one of the users in my "full access" group this is what I get:

User authentication:
Authentication test passed.

User is a member of the following groups:
Active Directory Users
Filter-FullAccess

Which is correct.  I have one other group called "Filter-eBay" that the user I tested is not in.  So the test works.  I did add a Base DN of "CN=Users,DC=ourdomain,DC=local" but it didn't make a difference although I can't switch the web filter to standard mode until the systems not being used (it's set for transparent right now since I can't get the users to show up).

Is there anything else I can check?  Right now on the Web Security -> Web Filtering section it's set for Transparent mode and authentication: None.  If I switch the authentication to AD SSO the user gets prompted over and over so I left that on none.  Then under "Web Filtering Profiles" I have my top profile set for Operational Mode: Standard and when I switch the authentication to AD SSO the user gets denied everything since the user isn't showing up in the log.  So right now in the profiles authentication is set to none.  If I look in the live log I see my profile name so it seems to follow the profile (my profile name is "TEMP - Allow Everything But Harrmful for Everyone" for now):

2013:02:17-22:42:35 Firewall1 httpproxy[24145]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.1.142" dstip="108.160.160.158" user="" statuscode="200" cached="0" profile="REF_HttProTempAllowEvery (TEMP - Allow Everything But Harrmful for Everyone)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15" request="0x8f81d08" url="notify23.dropbox.com:80/subscribe

So things are working with my temp profile but if I could get the router to recognize the user I can get rid of this and go back to th actual filters based on AD groups.

-Allan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BurtonComputerServices over 12 years ago in reply to Longman

Bob - I didn't run through those exact instructions but the ones in the help file within the Astaro itself.  With that said it looks like I did follow the same instructions and yes I did NOT check the boxes to create users automatically (it didn't make sense to do so but I debated it).

The only thing I see that might be missing is I have no Base DN for my authentication server.  If I test the login of one of the users in my "full access" group this is what I get:

User authentication:
Authentication test passed.

User is a member of the following groups:
Active Directory Users
Filter-FullAccess

Which is correct.  I have one other group called "Filter-eBay" that the user I tested is not in.  So the test works.  I did add a Base DN of "CN=Users,DC=ourdomain,DC=local" but it didn't make a difference although I can't switch the web filter to standard mode until the systems not being used (it's set for transparent right now since I can't get the users to show up).

Is there anything else I can check?  Right now on the Web Security -> Web Filtering section it's set for Transparent mode and authentication: None.  If I switch the authentication to AD SSO the user gets prompted over and over so I left that on none.  Then under "Web Filtering Profiles" I have my top profile set for Operational Mode: Standard and when I switch the authentication to AD SSO the user gets denied everything since the user isn't showing up in the log.  So right now in the profiles authentication is set to none.  If I look in the live log I see my profile name so it seems to follow the profile (my profile name is "TEMP - Allow Everything But Harrmful for Everyone" for now):

2013:02:17-22:42:35 Firewall1 httpproxy[24145]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.1.142" dstip="108.160.160.158" user="" statuscode="200" cached="0" profile="REF_HttProTempAllowEvery (TEMP - Allow Everything But Harrmful for Everyone)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15" request="0x8f81d08" url="notify23.dropbox.com:80/subscribe

So things are working with my temp profile but if I could get the router to recognize the user I can get rid of this and go back to th actual filters based on AD groups.

-Allan
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data