04-03-2016 07:55 AM
Greetings,
There appears to be some issue between AD and WSA, wherein some user authentication specifics are not getting returned from the AD to WSA.
On testing the authentication settings in WSA, it was observed that there is some clocking mismatch with 10.140.20.51
What could possibly be the issue shown in the warning message above ?
Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'AEADWS01-ADSSC.adssc.int' address: 10.140.18.208
Success: Resolved 'webproxy1.adssc.int' address: 10.140.151.11
Checking DNS resolution of Active Directory Server(s)...
Success: Resolved '10.140.20.51' address: 10.140.20.51
Success: Resolved '10.140.20.52' address: 10.140.20.52
Checking DNS resolution of AD Server(s)' full computer name(s)...
Success: Resolved 'ASPWPDCS01.adssc.int' address: 10.140.20.51
Success: Resolved 'ASVWPDCS02.adssc.int' address: 10.140.20.52
Validating configured Active Directory Domain...
Success: Active Directory Domain Name for '10.140.20.51' : ADSSC.INT
Success: Active Directory Domain Name for '10.140.20.52' : ADSSC.INT
Attempting to get TGT...
Success: Kerberos Tickets fetched from server '10.140.20.51' :
Success: Kerberos Tickets fetched from server '10.140.20.52' :
Checking local WSA time and server time difference...
Warning: Cannot check system time on AD server '10.140.20.51'
Success: AD Server time and WSA time difference within tolerance limit
Attempting to fetch AD group information...
Success: Able to query for AD Group Information from Active Directory server '10.140.20.51'.
Success: Able to query for AD Group Information from Active Directory server '10.140.20.52'.
04-03-2016 08:09 PM
Hi
What AD server and version that you are using? are you using AD 2012 R2? if yes, check whether SMBv1 is disabled in the AD server since WSA is only supporting SMBv1.
Also check the event logs in the AD server, whether record any errors such as errors 1058 and 1030.
04-03-2016 09:45 PM
Hi,
We're using AD 2012 R2 and yes, SMBv1 is protocol is enabled (along with SMBv2). Also, no event logs in the AD server pertaining to any errors such as errors 1058 and 1030.
Thanks
05-12-2017 03:12 AM
Hello Handy,
I am in need of assistance. I came across this post you made and it seems like it is related to my issue. With our WSA on ASYNC OS 10.1.1 we cannot get authentication to work correctly when SMB V1 is turned off on the domain controllers. SMB V1 being on is not an option anymore. I am reading your post where you say the WSA only supports SMB V1 but is this still the case with the latest OS release? I am not having fun troubleshooting this. Another question is if we used the agents on the domain controllers would there be a need for SMB at all?
05-18-2017 11:58 PM
I am having the same problem, after disabling SMB I have lost authentication of AD users, please help
05-21-2017 09:12 PM
Hi
SMB v1 needs to enabled in server, even I faced the same issue after disabling SMBv1.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo70696/?referring_site=bugquickviewredir
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo34050/?referring_site=bugquickviewredir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide