Knowledge Search


×
 

[SRX]Configuring Active Directory User permissions when using for Integrated User Firewall with Active Directory

  [KB29659] Show Article Properties


Summary:

This article explains how to configure an Active Directory user to allow reading of Event Logs from the Domain Controller used Integrated User Firewall

Symptoms:

When I check the status of the connection to the Domain Controller, it says it is disconnected. I know the username and password are correct but it still doesn't work, what do I do?

Cause:

Solution:

In most security deployments, Microsoft Administrators will want to limit the access a user has on the Domain Controller. If the SRX is configured with a Domain Administrator with full rights, pulling out Event Logs will work. In the following section,  you will find a detailed description of how to set up your user so the SRX can log with it successfully.

This guide assumes you have the following message on the SRX:

> show services user-identification active-directory-access domain-controller status extensive
Domain: woof.net
Domain controller: ad1
Address: 1.1.1.1
Status: Disconnected
Reason: Network issue

Please be advised that the "Reason" in this example is "Network issue", but in later releases it might change to a more specific message. If you are seeing an "Access Denied" or "Network Timeout" message, read on.

There are two places where you need to add permissions for a specific user. Follow the steps below to configure permissions and then verify the configuration.

Step 1: User Properties

Once you have created a user, right click on the user's name and select Properties. A new window will open for you. Select the Member Of tab and verify that the user is a member in the following groups:

The user must be able to log in remotely using Distributed Component Object Model (DCOM) and also must be able to read the Event Logs of the Active Directory Domain Controller

Once this is set up, move to step 2.

Step 2. WMI Permissions

  1. Open the WMI management console by going to Start and searching for wmimgmt.msc in the Search bar. A new window will appear.
  2. Right-Click on WMI Control (Local) and select Properties.
  3. In the new window opens, go the the Security tab. Expand Root and then expand CIMV2.
  4. Click the Security button and a new window will open. Add the previously created user in the list and edit it. Make sure the permissions are applied to "This namespace and subnamespaces".
  5. Select Enable Account and Remote Enable.
  6. Click OK and close everything. The user is now configured properly.

Step 3. Verification


Once the user is configured correctly, the status of the Domain Controller will change to Connected and the users that are logged in will be displayed.

> show services user-identification active-directory-access domain-controller status extensive
Domain: woof.net
Domain controller: ad1
Address: 1.1.1.1
Status: Connected

> show services user-identification active-directory-access active-directory-authentication-table all
Domain: woof.net
Total entries: 3
Source IP Username groups state
2.2.2.2 administrator Valid
3.3.3.3 administrator Valid
4.4.4.4 jtac Valid

Note:  In long lists of users, the SRX will not be able to download all the logs in the default 10 second timeout that is configured. Increase this timeout to a larger value, for example 2 minutes:

# set services user-identification active-directory-access wmi-timeout 120

Troubleshooting

If the connection still doesn't work after this step, collect the following traceoptions and open a technical support case:

set services user-identification active-directory-access traceoptions file ad-trace
set services user-identification active-directory-access traceoptions file size 25m
set services user-identification active-directory-access traceoptions level all
set services user-identification active-directory-access traceoptions flag all
set system processes general-authentication-service traceoptions file user-trace
set system processes general-authentication-service traceoptions file size 25m
set system processes general-authentication-service traceoptions flag all
Related Links: