Adding Domain Authenicated user through WG Portal

BarryGBarryG
in Firebox - Other

We have done this many times before but I must have the steps wrong. Via the WebUI adding a Access Portal user against out AD server name XYZ.com and adding the full email address I get error message Valid special character are... so its borking at using the @ symbol in the name.

We have a bunch of user names added like this so I'm not sure what steps I'm missing?

Best Answer

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    @BarryG
    The process to search for is 'portald' in traffic monitor. You may need to turn up logging in diagnostic logging to see more info.
    In Policy manager, it's under Setup -> Logging, diagnostic log level.
    In WebUI, it's under System -> Diagnostic Log.

    Access Portal is under the Subscription Services category.

    For event logs, checking the RDP server right after the event happens is the easiest way -- there's so many event IDs in windows that it's hard to suggest anything specific to search for.

    -James Carson
    WatchGuard Customer Support

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BarryG
    I just tried this on v12.7.2 in access portal and was able to, with an @ in the name for both AD, RADIUS, and AuthPoint type users.

    Can you please check to make sure you're not copy/pasting any extraneous special characters or spaces before or after the user name?
    If it's still not working, I'd suggest opening a support case, as @ should be allowed.

    -James Carson
    WatchGuard Customer Support

  • BarryGBarryG

    Ok thanks James. I was on 12.6.x and rolled up the cluster to 12.7.2

    This seems to have solved that problem. Great. now I just have to figure out why I'm not able to route or get RDP with an UPSTREAM_NOT_FOUND error, where as other users set up this way on the same VLANS have access? IP addresses and port 3389 are correct in both cases..

  • BarryGBarryG
    edited January 2022

    OK on further testing this seems to be the way WG is parsing TLS or RDP now? All of our previous setups have used TLS and forced the user to logon with their network credentials.

    Now if I add a new machine to an existing Access Portal profile that used LTS and trusted Cert. Or create a new access rule, I can only get it to work if I use the ANY protocol and am forced to enter saved creds. So it looks like I'll now have to update the profile every time we force a user to change their network password.

    Does anyone else see this?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BarryG
    If it's only working via Any, that likely means that NLA is what ends up being used. The error you were getting before suggests the RDP server is ignoring the requests otherwise.

    I'd suggest checking the logs in traffic monitor and on the RDP server to see if there's any more information. The stored credentials for NLA is Microsoft's requirement.

    -James Carson
    WatchGuard Customer Support

  • BarryGBarryG
    Thanks. I can check traffic monitor though I didn't see anything or maybe I wasn't filtering correctly. Uhmm what RDP server are we talking about?

    The Access portal makes a direct connection to the remote desktop client of the windows 10 machine. How would I check that except to see it maybe logged in the windows event viewer of the workstation I'm trying to connect to?

    Thanks
  • james.carsonjames.carson Moderator, WatchGuard Representative

    The RDP server would be the windows 10 machine.
    If you have a windows domain, you can likely use MMC to view event viewer for it remotely, otherwise it'd be looking at it on the machine itself.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.