topic Hi, in Web Security

WSA - AD Issue

Sea NT — Sun, 03 Apr 2016 14:55:00 GMT

Greetings,

There appears to be some issue between AD and WSA, wherein some user authentication specifics are not getting returned from the AD to WSA.

On testing the authentication settings in WSA, it was observed that there is some clocking mismatch with 10.140.20.51

What could possibly be the issue shown in the warning message above ?

Checking DNS resolution of WSA hostname(s)...

Success: Resolved 'AEADWS01-ADSSC.adssc.int' address: 10.140.18.208

Success: Resolved 'webproxy1.adssc.int' address: 10.140.151.11

Checking DNS resolution of Active Directory Server(s)...

Success: Resolved '10.140.20.51' address: 10.140.20.51

Success: Resolved '10.140.20.52' address: 10.140.20.52

Checking DNS resolution of AD Server(s)' full computer name(s)...

Success: Resolved 'ASPWPDCS01.adssc.int' address: 10.140.20.51

Success: Resolved 'ASVWPDCS02.adssc.int' address: 10.140.20.52

Validating configured Active Directory Domain...

Success: Active Directory Domain Name for '10.140.20.51' : ADSSC.INT

Success: Active Directory Domain Name for '10.140.20.52' : ADSSC.INT

Attempting to get TGT...

Success: Kerberos Tickets fetched from server '10.140.20.51' :

Success: Kerberos Tickets fetched from server '10.140.20.52' :

Checking local WSA time and server time difference...

Warning: Cannot check system time on AD server '10.140.20.51'

Success: AD Server time and WSA time difference within tolerance limit

Attempting to fetch AD group information...

Success: Able to query for AD Group Information from Active Directory server '10.140.20.51'.

Success: Able to query for AD Group Information from Active Directory server '10.140.20.52'.

Hi

Handy Putra — Mon, 04 Apr 2016 03:09:28 GMT

What AD server and version that you are using? are you using AD 2012 R2? if yes, check whether SMBv1 is disabled in the AD server since WSA is only supporting SMBv1.

Also check the event logs in the AD server, whether record any errors such as errors 1058 and 1030.

Hi,

Sea NT — Mon, 04 Apr 2016 04:45:23 GMT

Hi,

We're using AD 2012 R2 and yes, SMBv1 is protocol is enabled (along with SMBv2). Also, no event logs in the AD server pertaining to any errors such as errors 1058 and 1030.

Thanks

Hello Handy,

abadcabassa — Fri, 12 May 2017 10:12:33 GMT

Hello Handy,

I am in need of assistance. I came across this post you made and it seems like it is related to my issue. With our WSA on ASYNC OS 10.1.1 we cannot get authentication to work correctly when SMB V1 is turned off on the domain controllers. SMB V1 being on is not an option anymore. I am reading your post where you say the WSA only supports SMB V1 but is this still the case with the latest OS release? I am not having fun troubleshooting this. Another question is if we used the agents on the domain controllers would there be a need for SMB at all?

I am having the same problem,

KriegerPiloto — Fri, 19 May 2017 06:58:38 GMT

I am having the same problem, after disabling SMB I have lost authentication of AD users, please help

Hi

bonifaceaa — Mon, 22 May 2017 04:12:20 GMT

SMB v1 needs to enabled in server, even I faced the same issue after disabling SMBv1.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo34050/?referring_site=bugquickviewredir