07-02-2003 06:50 AM - edited 02-21-2020 10:07 AM
I have a client with a VPN 3005 concentrator, and they want to authenticate against their Windows 2000 Active Directory. However, the AD servers are running in Mixed-mode.
I have tried to configure the VPN 3005 concentrator to authenticate against the AD server, and although it recognises the domain and username, it will not authenticate (I always get an 'invalid password' message). Has anyone else experienced a similar problem/got this working?
Regards,
Matt
07-02-2003 11:31 AM
Mixed mode shouldn't matter - that really only changes the ability of NT 4 BDCs to function. Downlevel clients should not be impacted, as win2k native and mixed mode both grok NTLM authentication.
Are you specifying the AD server as a "nt domain" type under authentication?
I didn't have a problem at all as I have upgraded from nt 4 to win2k mixed mode to win2k native mode - the 30xx never flinched. I am not running the 4.0 code, which might be more AD aware.
07-03-2003 04:21 AM
Hi,
I've specified the Authentication type as 'Kerberos/Active Directory', which is what causes the problem.
I can get it working by specifying 'NT domain' as the authentication type; however, this doesn't allow me to control *which* users can access the VPN.
Is there any way to get a mixed-mode controller to work using AD authentication, or alternatively, any way of controlling which users can access the VPN when using 'NT domain' authentication.
Many thanks,
Matt
07-03-2003 05:01 AM
That is odd. I can;t think of anything kerberos / AD related that changes via the switch to native mode.
If you are using digital certs, you can use group matching rules under "Policy Matching" rules. This can probably get unwieldy, and would be nowhere as easy as using nt/ad groups, although I haven't played with the kerberos/ad auth features yet.
I would open a case with TAC - I truly cannot think of *any* reason why there would be a problem with mixed mode.
07-03-2003 05:33 AM
OK - thanks for your help anyway. It's really appreciated.
Cheers,
Matt
07-10-2003 01:27 PM
My VPN 3060 is authenticating using Microsoft's IAS RADIUS. In this case the Active Directory attribute controlling RAS access is used to control authentication.
Tom Zeller
Indiana University
812-855-6214
07-11-2003 12:55 AM
Hi, and thanks for your reply.
I'm not sure if this is the same situation in which I am running. Can you confirm if the Active Directory is running in Mixed Mode?
Regards,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide