Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Not able to authenticate users against an Active Directory infrastructure with Steel-Belted RADIUS

0

0

Article ID: KB14322 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
Authentication failure can be caused by a connectivity issue between SBR and a Domain Controller.  This article will help determine domain connectivity between a member server running SBR and a Domain Controller by using nltest.exe
Symptoms:
Symptoms & Errors:
  • Not able to authenticate users against an Active Directory infrastructure with Steel-Belted RADIUS. 
  • RADIUS authentication failing
  • Administrator not being able to login to the SBR admin GUI utility.
  • Windows domain authentication is failing
Solution:
One of the troubleshooting steps used to determine proper domain connectivity is to use a Microsoft tool by the name of nltest.exe.  Among the many things this tool can do is to check the secure channel between the member server and its domain controller.  The utility can be obtained from Microsoft but it may be included on the server operating system as well.

From a command prompt, enter the command ‘nltest’. If it exists, you will see the following output
‘The command completed successfully’

If it is not found, you will need to download it from Microsoft.


Once you have the tool installed, issue the following command from the command prompt
nltest /sc_query:<domain_name_to_check>

Example:

nltest /sc_query:2003support.local


You should see output similar to the data below.

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\big-domain.2003support.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If the status code is anything other than 0, you should research the error code and take appropriate actions to correct it.   Note: This tool is also useful in determining which DC is being used for domain authentication.  In larger AD environments, this information can be useful when attempting to isolate issues.

You can also attempt to use the nltest tool to reset the secure channel between the member server and its domain controller.  Issue the following command from the command prompt.
Nltest /sc_reset:<domain_name_to_check>

Example:

nltest /sc_reset:2003support.local

You should see output similar to the data below.

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\big-domain.2003support.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Again, look at the status field for 0 value. If anything other than 0 is returned, you will need to research the error code and take appropriate steps to resolve the issue.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search