What is the reason to mobile vpn users using ssl cannot authenticate to the Windows AD, when the user is member to Protected Users group?
The protected user group is AD specific -- the firewall will just read it as another group. If there's no 'protected user' group configured on the firewall, it'll just ignore it.
WatchGuard Customer Support
No, i mean the issue is as soon as a user becomes member of Protected Users group authentication stops working. I suspect is it because fireware do not support kerberos, and only does ntlm, and that´s why, i get authentication failure.
admLdapSessBindingChkResult: more binding error:80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52f, v2580
This basicly means invalid password, but as it is the correct password, i think the root cause is missing kerberos support in the admd.
I have a support case running, # 01594181.
That's AD making the reject, so your hunch is probably right. Since you have a case open it'll be best to leave it with that team to find the exact cause.
I just got it confirmed by Michael Ditmann. It is because AD rejects ntlm authentication and require kerberos.
Ldap data error code 52f:
49 52f 1327 ERROR_ACCOUNT_RESTRICTION
@[email protected] Thank you for following up, I'm glad Michael could help.