AD users in Protected Users group

Hi

What is the reason to mobile vpn users using ssl cannot authenticate to the Windows AD, when the user is member to Protected Users group?

Regards
Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hello,

    The protected user group is AD specific -- the firewall will just read it as another group. If there's no 'protected user' group configured on the firewall, it'll just ignore it.

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

    No, i mean the issue is as soon as a user becomes member of Protected Users group authentication stops working. I suspect is it because fireware do not support kerberos, and only does ntlm, and that´s why, i get authentication failure.

    admLdapSessBindingChkResult: more binding error:80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52f, v2580

    This basicly means invalid password, but as it is the correct password, i think the root cause is missing kerberos support in the admd.

    I have a support case running, # 01594181.

    /Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi RV,

    That's AD making the reject, so your hunch is probably right. Since you have a case open it'll be best to leave it with that team to find the exact cause.

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    I just got it confirmed by Michael Ditmann. It is because AD rejects ntlm authentication and require kerberos.

    Ldap data error code 52f:
    49 52f 1327 ERROR_ACCOUNT_RESTRICTION

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @rv@kaufmann.dk Thank you for following up, I'm glad Michael could help.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.