How to configure SonicWall Active Directory integration
ฝัง
- เผยแพร่เมื่อ 22 ส.ค. 2024
- This video explains how to do active directory integration with SonicWall firewalls. covers LDAP and LDAPS, some testing as well as my own personal little things I like doing with AD authentication.
AD integration: www.sonicwall....
LDAPS: www.sonicwall....
my video on SSLVPN: • How to configure Sonic...
my video on Single Sign On (SSO): • How to configure Sonic...
Hi Jean, excellent tutorial as always and appreciate you spending the time putting this together.
Ran though LDAP setup initially, working well. Then tried next step of changing over to LDAPS with import of generated certificate from root.cer file, split DNS, etc. Test to server fails with "Error connecting to LDAP server Message returned from LDAP: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)". Rechecked setup, certificate definitely imported correctly, DNS correct and can resolve server name, rewatched video again and all correct however continues to fail.
Then after Google search found several people reporting same error and workaround was under LDPA Configuration, Settings, General Settings to uncheck "Require valid certificate from server when using TLS". Did this and now working with LDAPS.
Any thoughts on why this is required and any issue unchecking this setting?
Thanks for your comment, I have pin it at the top for others to see.
Honestly I’m really not an expert in certificate and in AD. Your googling will be as good as mine on that topic :-)
@@JeanPierTalbot My certificate skills probably similar to yours, however at least there is a workaround others may choose to use: uncheck "Require valid certificate from server when using TLS". From my reading the LDAP communication is still encrypted which is the most important thing.
I am setting up a new SonicWall implementation next week and will be doing the same AD integration. Will report back if what happens in this case. Thank you once again for the excellent tutorials, looking forward to your upcoming topics (in particular Best practices re: logging, reports I hope)
I had the same error, I resolved it by installing the root cert in addition to the server cert. I would expect the root cert alone is all that's required to authenticate the DC. I'm running my own domain joined CA Server, hence having a root cert.
Thanks you for all the videos. Some of this is so complex that I would never have figured it out on my own. I appreciate all the details. Got me up and working.
This was incredibly useful! I am preparing to enable LDAPS, and your video confirmed I am going about it the correct way.
Glad it was helpful!
Thanks Jean-Pierre! Really well done.
Hi Jean-Pier,
In my case it happened with Microsoft AD itself. LDAP authorization is functional, but groups are with (MemberOf). I opened a call and I'm waiting.
Hii. I am having issue related to access rules with ad sso groups. Only first rule is working. And if create the rule with another group and put the rule at second number. The users goes to unauthenticated user. And in bracket showing cannot get the sso with 1st rule access group.
Love your videos Jean-Pier! I have a question, I was told you don't want to run Certificate Authority on your Domain Controller. I feel you are very knowledgeable, can you please clarify? MUCH APPRECIATED!
I believe I mentioned it in that video, or another… but I’m really not a Microsoft expect. For this video I installed a 2012 server and followed a video of « Eli the computer guy » on how to set AD. Last time in my carrer I deployed AD in production for a customer was with 2003 server… like 2 decades ago! Lol time flys!
So I’ll let you research what is the best way to deploy any Microsoft things…
@@JeanPierTalbot A fair response Jean-Pier! Thank you for the reply!
Nice. Couple questions, for production use does the DC need to have another role for LDAP or best to spin off another server? Also what version of Sonic OS is this?
Hi Christian, I'm no where near an AD security expect. I'm using the domain admin as it's much simpler. but you can create a service account with read access and it should work: www.sonicwall.com/support/knowledge-base/integrating-ldap-active-directory-with-sonicwall-utm-appliance/170707170351983/
the firmware you see is the new sonicOS7. currently only available on TZ570 and TZ670
hello community, How do I encrypt the connection between the utm and the active directory?
LDAPS is implemented further in that video.
Jean-Pier. Hello. I have a question about 1 of the additional tips you shared. I am trying to create a rule which allow wan-lan for terminal services, with the snl in the middle validating internal groups. if i create the rule under https - then I can authenticate, but the terminal services don't work. If i create the terminal services connection but change the inbound rule (https to terminal services) I can not connect. if i allow the 'any' (w/o any type of ad group auth) for the terminal services - that works. I believe this used to work but doesn't now. is there a way to do this - use terminal services - from the wan - to a lan object, but require the snl to utilize ad integration for access? It would seem a simple thing to 'wrap' ad-auth against a inbound connection - that way the terminal server can be 'open' to the internet, but unless they authenticate the connection won't be made. thanks, mark
Hi, I believe I showed exactly this scenario in my tip and trick video. It has to be a 2 steps thing.
First, authenticate to the firewall on https with your AD user.
Second, do a little inbound NAT for RDP and select your group in the « include user »
Keep in mind. If the user is in the airport, then all the airport has access to RDP as this type of authentication simple link a WAN IP to a user. Best is to use a VPN client. See my SSL VPN video
Thanks for the video. I'm looking at Radius to sonicwall as we are limited to 250 user accounts (not licenses but user accounts) on our sonicwall. I'm confused between this and radius and if there is an advantage to this vs. radius. Thanks in advance.
what to have present if needed that operate 2 server de AD, finally in a time one of this will disconect. and as
it affects the setting that have VPN SSL.
Simply add your second AD server in the list :-)
We have a SMA500v and instead of Microsoft AD we use OpenLdap. Authorization with LDAP is working but Groups are not (MemberOf). I opened a case with Sonicwall but until now they couldn’t find a solution. I don’t like that in most cases Ldap integration is based on Microsoft’s AD and not on open software.
Hi Thomas,
please email me your ticket number.
@@JeanPierTalbot It is part of ticket # 43511827
Hello sir, I tried exactly as you mentioned in the video.
But it does not work.
It keeps giving me the below error message when I press the test button.
"Warning! LDAP can not be enabled in FIPS mode without a valid local certificate for TLS!".
We already imported a certificate from our domain controller so not sure what the issue it.
Any help in getting this to work will be greatly appreciated.
Our firewall operates in FIPS mode.
Unfortunately I won’t be able to help out with the FIPS mode. Best would be to call support for help.
Do you really need FIPS? Or you enabled it just because because ?
@@JeanPierTalbot no problem. I got it figured out.
Hi Jean-Pier,
Very helpful and clear video! I got everything setup, and all tested successful, including secure ldap. But when I log in with an AD account, it shows not secure, and only displays a message about limit time remaining. I don't see any options to configure anything. Is there something else to set up?
Thanks again!
I found the answer.
I'm trying to set up the AD integration with LDAP for VPN access, but the UI for this SW FW is older and where you enter the username and the location is AD, it's one cell. I entered the object location from AD and modified the last entry to the user's name but I continue to get the error: Error: Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839
Can you provide any guidance? How can I update the UI? It is a licensed product.
Hi. I’m running the 7th generation of sonicwall product that were released maybe 3 years ago. If yours if a lot different, chances are you are on the previous generation. Sort term, you can upgrade to the latest release of gen6 (you can upgrade your current firewall to gen7 firmware) the latest gen6 firmware UI might be close enough. You may want to consider to upgrade your physical firewall to a gen7 unit. If you do a secure upgrade, the value of your remaining licences will transfer on your gen7 unit :-)
Great Video. Much appreciated . I have a question. I have windows AD setup and LDAP S has been configured on firewall. Im struggling with the login page. I can see user activity however I would like for AD and Local users to be redirected to a login page before being granted access. A group has been created that will be bypassed how ever I cant seem to get login page up and running,Please advise
Hi Sabelo, thanks for the feedback. I believe this is what you are looking for: www.sonicwall.com/support/knowledge-base/how-can-i-force-user-authentication-prior-to-allowing-traffic-through-the-firewall/170503559814835/
@@JeanPierTalbot Thank you for your response.
Can you pls share the process for adding Sonicwall GMS 9.3 into our existing NPS server through Radius
Hi, unfortunately GMS is on its last stretch, getting replaced by NSM. So I won’t do video on GMS
My current config uses local users. If I go ahead with ldap/ad will that remove the local users access? Just asking because I don't want to get rid of the local users until I know that the ldap works good
thanks
In authentication menu, you can pick « local user / LDAP » that will use both.
Doesn't the "Warning - LDAP should not be used without TLS other than for diagnostic purposes. This is highly insecure" cause you concern? Standard LDAP traffic is not encrypted.
Hi, Jean,Is there a way to export the Active Directory certificate without being a certification authority ?
Unfortunately I’m really not a cert expert. Sorry
@@JeanPierTalbot tks, Is it possible to perform the operation from the sonicwall ? I mean that to the DA server I can install a certificate generated by the fw.
Yes you can probably use MAKECERT, but it is not very straightforward. I ended up just adding the CA role to one of my DC's.
docs.microsoft.com/en-us/virtualization/community/team-blog/2013/20130413-hyper-v-replica-certificate-based-authentication-makecert
Where are the next videos? :)
On the todo list… :-)
(Assuming you are asking about SSO)
configure ldap on windows to make it full tutorial
I used your video to setup LDAP a while back, thanks for that. One strange thing that just started happening is my personal AD account is failing authentication, not allowing me to connecto thru our VPN. However...every other user in our VPN group CAN connect?! I'm perplexed! When i test my account from LDAP settings, I get authentication failed with the error 80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52f, v4f7c. I've looked that error up to no avail. Seems quite odd that it's just my account, no?!
I just found out the issue...my account is a member of the Protected Users group. Apparently that membership adds a level of security that doesnt allow LDAP authentication. Wondering if there's a solution other than removing myself from that group?
Good one. I have no clue. I was about to suggest calling support.