[SSL VPN/MAG] Role mapping with group lookup for Juniper Networks SA device is not working in Windows Server 2008/Service Pack 2

SUMMARY:

This article describes the Active Directory Authorization issue with Windows Server 2008. The standard cryptography setting generates an error when a test is performed on the SA AD Authentication Server Page.

PROBLEM OR GOAL:
When testing the configuration against Active Directory (AD) Windows 2008 Server, the response is:
Error while joining domain

TEST. Possible causes:

– The specified administrator credentials do not properly authenticate.
– The specified domain or domain controller may not be valid.

Note : LDAP authentication with the same credentials towards the same server works.

SOLUTION:

Update the crypto used for the Secure Channel in Windows Server 2008. The Windows Server 2008-based domain controller, which processes the security channel request, returns the following error code:

Hex: 0x4F1h
Decimal: 1265
Symbolic Error: ERROR_DOWNGRADE_DETECTED
Short Error: « STATUS_DOWNGRADE_DETECTED »
Friendly Error: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.”

Refer to the following Microsoft support article at the following link (Symptom 3):

http://support.microsoft.com/kb/942564

The following excerpt is from the above mentioned Microsoft support article:

« Symptom 3 :

A SAMBA SMB client cannot perform a domain join operation to a Windows Server 2008-based domain controller. Or, a SAMBA Server Message Block (SMB) client cannot establish a security channel to a Windows Server 2008-based domain controller.

To work around this problem, make sure that client computers use the cryptography algorithms that are compatible with Windows Server 2008. You may have to request software updates from the product vendors. »

If you cannot install software updates, due to a service outage, perform the following procedure:

  1. Logon to a Windows Server 2008-based domain controller.
  2. Click Start, Run, type gpmc.msc, and then click OK.
  3. In the Group Policy Management console, expand Forest: DomainName, Controller, Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
  4. In the Group Policy Management Editor console, expand Computer Configuration, Policies, Administrative Templates, System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
  5. In the Properties dialog box, click the Enabled option, and then click OK.

 

Note:

By default, the ‘Not Configured’ option is set for the Allow cryptography algorithms, which are compatible with the Windows NT 4.0 policy in the following Group Policy objects (GPO):

Default Domain Policy
Default Domain Controllers Policy
Local Computer Policy

By default, the behavior for the Allow cryptography algorithms, which are compatible with the Windows NT 4.0 policy on Windows Server 2008-based domain controllers, is to programmatically prevent connections from using cryptography algorithms, which are used in Windows NT 4.0. So tools, which enumerate effective policy settings on a member computer or on a domain controller will, not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy; unless you explicitly enable or disable the policy.

Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. So, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers; even if the client computers use the old cryptography algorithms, which are used in Windows NT 4.0. If the security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.

  1. Install third-party software updates that fix the problem or remove client computers that use incompatible cryptography algorithms.
  2. Repeat steps 1 through 4.
  3. In the Properties dialog box, click the Disabled option, and then click OK.

Important: For security reasons, you should reset the option for this policy to Disabled.

Note: This article applies to Windows 2008 R2 as well.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s