AD users in Protected Users group
Hi
What is the reason to mobile vpn users using ssl cannot authenticate to the Windows AD, when the user is member to Protected Users group?
Regards
Robert
0
Sign In to comment.
Hi
What is the reason to mobile vpn users using ssl cannot authenticate to the Windows AD, when the user is member to Protected Users group?
Regards
Robert
Comments
Hello,
The protected user group is AD specific -- the firewall will just read it as another group. If there's no 'protected user' group configured on the firewall, it'll just ignore it.
-James Carson
WatchGuard Customer Support
@james.carson
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
No, i mean the issue is as soon as a user becomes member of Protected Users group authentication stops working. I suspect is it because fireware do not support kerberos, and only does ntlm, and that´s why, i get authentication failure.
admLdapSessBindingChkResult: more binding error:80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52f, v2580
This basicly means invalid password, but as it is the correct password, i think the root cause is missing kerberos support in the admd.
I have a support case running, # 01594181.
/Robert
Hi RV,
That's AD making the reject, so your hunch is probably right. Since you have a case open it'll be best to leave it with that team to find the exact cause.
-James Carson
WatchGuard Customer Support
@james.carson
I just got it confirmed by Michael Ditmann. It is because AD rejects ntlm authentication and require kerberos.
Ldap data error code 52f:
49 52f 1327 ERROR_ACCOUNT_RESTRICTION
@rv@kaufmann.dk Thank you for following up, I'm glad Michael could help.
-James Carson
WatchGuard Customer Support