Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2688
Views
5
Helpful
5
Replies

WSA - AD Issue

Sea NT
Level 1
Level 1

‎04-03-2016 07:55 AM

Greetings,

There appears to be some issue between AD and WSA, wherein some user authentication specifics are not getting returned from the AD to WSA.

 

On testing the authentication settings in WSA, it was observed that there is some clocking mismatch with 10.140.20.51

What could possibly be the issue shown in the warning message above ?

 

Checking DNS resolution of WSA hostname(s)...

Success: Resolved 'AEADWS01-ADSSC.adssc.int' address: 10.140.18.208

Success: Resolved 'webproxy1.adssc.int' address: 10.140.151.11

 

Checking DNS resolution of Active Directory Server(s)...

Success: Resolved '10.140.20.51' address: 10.140.20.51

Success: Resolved '10.140.20.52' address: 10.140.20.52

 

Checking DNS resolution of AD Server(s)' full computer name(s)...

Success: Resolved 'ASPWPDCS01.adssc.int' address: 10.140.20.51

Success: Resolved 'ASVWPDCS02.adssc.int' address: 10.140.20.52

 

Validating configured Active Directory Domain...

Success: Active Directory Domain Name for '10.140.20.51' : ADSSC.INT

Success: Active Directory Domain Name for '10.140.20.52' : ADSSC.INT

 

Attempting to get TGT...

Success: Kerberos Tickets fetched from server '10.140.20.51' :

 

Success: Kerberos Tickets fetched from server '10.140.20.52' :

 

 

Checking local WSA time and server time difference...

Warning: Cannot check system time on AD server '10.140.20.51'

Success: AD Server time and WSA time difference within tolerance limit

 

Attempting to fetch AD group information...

Success: Able to query for AD Group Information from Active Directory server '10.140.20.51'.

Success: Able to query for AD Group Information from Active Directory server '10.140.20.52'.

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Handy Putra
Cisco Employee
Cisco Employee

‎04-03-2016 08:09 PM

Hi 

What AD server and version that you are using? are you using AD 2012 R2? if yes, check whether SMBv1 is disabled in the AD server since WSA is only supporting SMBv1.

Also check the event logs in the AD server, whether record any errors such as errors 1058 and 1030.

Sea NT
Level 1
Level 1
In response to Handy Putra

‎04-03-2016 09:45 PM

Hi,

We're using AD 2012 R2 and yes, SMBv1 is protocol is enabled (along with SMBv2). Also, no event logs in the AD server pertaining to any errors such as errors 1058 and 1030.

Thanks

0 Helpful

abadcabassa
Level 1
Level 1
In response to Handy Putra

‎05-12-2017 03:12 AM

Hello Handy,

I am in need of assistance. I came across this post you made and it seems like it is related to my issue. With our WSA on ASYNC OS 10.1.1 we cannot get authentication to work correctly when SMB V1 is turned off on the domain controllers. SMB V1 being on is not an option anymore. I am reading your post where you say the WSA only supports SMB V1 but is this still the case with the latest OS release? I am not having fun troubleshooting this. Another question is if we used the agents on the domain controllers would there be a need for SMB at all?

0 Helpful

KriegerPiloto
Level 1
Level 1
In response to abadcabassa

‎05-18-2017 11:58 PM

I am having the same problem, after disabling SMB I have lost authentication of AD users, please help

0 Helpful

bonifaceaa
Level 1
Level 1
In response to abadcabassa

‎05-21-2017 09:12 PM

Hi

SMB v1 needs to enabled in server, even I faced the same issue after disabling SMBv1.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo34050/?referring_site=bugquickviewredir

0 Helpful
Customers Also Viewed These Support Documents