5 Replies Latest reply on Mar 7, 2012 4:57 AM by PhilM

    Active passport by Active Directory, Windows Failed

    galaxyus

      Hi All,

       

      How could we configure Active Passport using authenticators by AD, Windows?  Web browser always promt user authenticate but not success.

      In case, authenticator by password success.

       

      Thanks for any help.

        • 1. Re: Active passport by Active Directory, Windows Failed
          PhilM

          If you have selected both password and active directory authenticators in the Passport server and you have specified password as being the default authenticator, when you log into the passport service and wish to use active directory credentials you must prefix the username accordingly.

           

          It's been almost a year since I had to configure this myself, but I think that it is formatted <authenticator>:<username> - where <authenticator> is the name you have given to that authenticator entry on the firewall.

           

          So, if you called the authenticator entry "AD", you would log in as "galaxyus" to use the password credentials and "AD:galaxyus" to force the passport service to check the credentials against active directory. (no " " marks, of course).

           

          Hope that helps.

           

          -Phil.

          • 2. Re: Active passport by Active Directory, Windows Failed
            galaxyus

            Hi Phil,

            You have expirienced with MFE like https://community.mcafee.com/message/192865#192865. I meaned when users want to connect to internet they have to authenticate by ID/PW in AD.

            My rule :  User & Groups: authenticated - Authenticator: AD (replacement Non/Passport) like I configured in Authenticator. But not successful. What need I congfigure more?

             

            Gala.

            • 3. Re: Active passport by Active Directory, Windows Failed
              sliedl

              What does the audit say?  Are you failing authentication?  What does the AD server log say when the firewall tries to authenticate?

              • 4. Re: Active passport by Active Directory, Windows Failed
                galaxyus

                I missed configure.

                It's work great like this link:  https://community.mcafee.com/message/192865#192865

                We using passive passport and active passort  for the rule defined:

                - Authenticator : we defined AD (AD IP: port) --- Search: Search in Active Directory Domain (yourdomain.com)

                - Passport: Active: Inband mode -- Authencator: AD (defined before)

                Rule like this:

                - Users & Groups: <Authenticated>

                - Authenticator: <None/Passport>

                The first time Users using web browser they have to authenticate by AD username/pw.

                 

                Gala.

                • 5. Re: Active passport by Active Directory, Windows Failed
                  PhilM

                  It is possible that I may have mislead you in my earlier reply regarding the correct format to use when logging into the active passport service.

                   

                  I've checked back through the forum for my own enquiry on this subject and it would appear that you need to prefix the password field with the chosen authenticator name not the username field.


                  So, I originally said that if you wanted to specify your Active Directory authenticator (which I called "AD" in the example) you should log into the passport server using "AD:<username>" and then issue the password when I actually think that you need to login as "<username>" and then enter "AD:<password>" in the password field.

                   

                  -Phil.

                  1 of 1 people found this helpful