4 Replies Latest reply: Oct 30, 2013 7:41 AM by kdesnayer RSS

    Active Passport with AD

    kdesnayer

      Howdy all,

       

      I have lookied through other posts and also opened a Ticket with McAfee.  Seems all my settings are correct on the firewall to get Active Passport working with AD.  I get prompted properly by the firewall for my AD login credentials.  When I type in the correct credentials for a user in the External Group, I continually get prompted for my credentials.   No error pops up.   I can see the Firewall and AD talking using wireshark.   Looks like the AD is not passing the authentication approval back to the firewall.

       

      Does anyone know of any special settings that need to be set in AD to make this work.   We are running Server 2008 Standard. 

       

      This is from the firewall log.

       

      2013-10-29 15:01:26 -0400 f_http_proxy a_aclquery t_info p_trivial

      pid: 60636 logid: 0 cmd: 'httpp' hostname: STIPMFW01.SECURETECHNOLOGIES.CA

      user_name: (null) auth_method: failed-AD srcip: 192.168.10.180 srcport: 51121

      srczone: internal protocol: 6 dstip: 192.168.10.11 dstport: 8111

      dstzone: internal rule_name: <Implicit Passport - AD>

      information: SKIP: rule requires authentication; client authentication failed

       

       

      Cheers,


      Kevin

        • 1. Re: Active Passport with AD
          kdesnayer

          also, if anyone can confirm the following setting on the firewall.

           

          when creating the Windows authenticator, I am creating a new Windows domain controller, and am asked to enter the ip address and Name (Windows Domain Controller Name)....

           

          Do I use the Host Name here, or fully qualified domain name, or just the domain....?

           

          Thanks....

          • 2. Re: Active Passport with AD
            sliedl

            Make sure the user is a local-user on the firewall also.  The username must exist on the firewall.

             

            Make sure you are using <None/Passport> as the authentication method in the rule and set the AD authenticator as the default (or only) authenticator to use for Passport (in the Passport section of the GUI).

             

            I would always use an IP address for the server.

            • 3. Re: Active Passport with AD
              kdesnayer

               

              Can you confirm what goes here next to Window Domain Controller Name:    as I am getting different answers depending on who I talk to....

               

              Message was edited by: kdesnayer on 10/30/13 7:27:50 AM CDT
              • 4. Re: Active Passport with AD
                kdesnayer

                Also it seems to me the firewall is not posting the Called Name to the AD server.....

                 

                screenshot.2.jpg

                screenshot.3.jpg