Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX]Configuring Active Directory User permissions when using for Integrated User Firewall with Active Directory

0

0

Article ID: KB29659 KB Last Updated: 14 Feb 2017Version: 2.0
Summary:

This article explains how to configure an Active Directory user to allow reading of Event Logs from the Domain Controller used Integrated User Firewall

Symptoms:

When I check the status of the connection to the Domain Controller, it says it is disconnected. I know the username and password are correct but it still doesn't work, what do I do?

Cause:

Solution:

In most security deployments, Microsoft Administrators will want to limit the access a user has on the Domain Controller. If the SRX is configured with a Domain Administrator with full rights, pulling out Event Logs will work. In the following section,  you will find a detailed description of how to set up your user so the SRX can log with it successfully.

This guide assumes you have the following message on the SRX:

> show services user-identification active-directory-access domain-controller status extensive
Domain: woof.net
Domain controller: ad1
Address: 1.1.1.1
Status: Disconnected
Reason: Network issue

Please be advised that the "Reason" in this example is "Network issue", but in later releases it might change to a more specific message. If you are seeing an "Access Denied" or "Network Timeout" message, read on.

There are two places where you need to add permissions for a specific user. Follow the steps below to configure permissions and then verify the configuration.

Step 1: User Properties

Once you have created a user, right click on the user's name and select Properties. A new window will open for you. Select the Member Of tab and verify that the user is a member in the following groups:

The user must be able to log in remotely using Distributed Component Object Model (DCOM) and also must be able to read the Event Logs of the Active Directory Domain Controller

Once this is set up, move to step 2.

Step 2. WMI Permissions

  1. Open the WMI management console by going to Start and searching for wmimgmt.msc in the Search bar. A new window will appear.
  2. Right-Click on WMI Control (Local) and select Properties.
  3. In the new window opens, go the the Security tab. Expand Root and then expand CIMV2.
  4. Click the Security button and a new window will open. Add the previously created user in the list and edit it. Make sure the permissions are applied to "This namespace and subnamespaces".
  5. Select Enable Account and Remote Enable.
  6. Click OK and close everything. The user is now configured properly.

Step 3. Verification


Once the user is configured correctly, the status of the Domain Controller will change to Connected and the users that are logged in will be displayed.

> show services user-identification active-directory-access domain-controller status extensive
Domain: woof.net
Domain controller: ad1
Address: 1.1.1.1
Status: Connected

> show services user-identification active-directory-access active-directory-authentication-table all
Domain: woof.net
Total entries: 3
Source IP Username groups state
2.2.2.2 administrator Valid
3.3.3.3 administrator Valid
4.4.4.4 jtac Valid

Note:  In long lists of users, the SRX will not be able to download all the logs in the default 10 second timeout that is configured. Increase this timeout to a larger value, for example 2 minutes:

# set services user-identification active-directory-access wmi-timeout 120

Troubleshooting

If the connection still doesn't work after this step, collect the following traceoptions and open a technical support case:

set services user-identification active-directory-access traceoptions file ad-trace
set services user-identification active-directory-access traceoptions file size 25m
set services user-identification active-directory-access traceoptions level all
set services user-identification active-directory-access traceoptions flag all
set system processes general-authentication-service traceoptions file user-trace
set system processes general-authentication-service traceoptions file size 25m
set system processes general-authentication-service traceoptions flag all
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search