07-31-2009 12:02 PM
Hi,
What would be the best practice in deploying WSA to multiple domains..
Are there any requirements for this? like should be in the same forest?
Or it can be done via ip ?
My objective is to control internet traffic from users of adomain.com, bdomain.com etc...
07-31-2009 12:19 PM
By the way, the WSA will query LDAP on my AD
07-31-2009 03:32 PM
The WSA is able to authenticate across multiple Active Directory forests as long as the domain that the WSA joins, has at least a one way trust with each forest where the users belong.
08-03-2009 07:04 AM
Hi Josh,
I got these errors upon doin a query on my LDAP..via 3268
Failure: Unable to fetch user DN information from server '192.168.18.7'.Please check the Base DN, User Name Attribute and User Filter values.
Base DN: dc=abc, dc=com
User Name Attribute:sAMAccountName
User Filter Query:None
I tried LDAP browser given the credentials i got..i was able to browse my AD...
what seemed to be not working..
08-03-2009 03:40 PM
Kira,
I'm not sure why you are configuring to use your AD server via LDAP. If you wish to use AD with multiple domains across a forest, I recommend using NTLM, not LDAP.
It's possible you could get this working using the LDAP global catalog, but I've always seen it done via NTLM. That and NTLM is a secure protocol and LDAP is not.
08-04-2009 04:24 AM
Hi Josh,
My configuration involved an NTLM SSO which is working pretty much.
Now id like to add another LDAP for my remaining 2 domains.
Yes they are in single forest and can query via ports 3268 and 389.
My problem was using my service account to query the ldap server , unable to fetch users from via LDAP but communications are success.
I opened a ticket to support and provided a test account where the support guy was able to query via test account.
I tried Softtera LDAP browser using the service account to query my ldap and it worked.
I dont know why on the WSA, it says password error, invalid account etc.
What could possibly be wrong .
Thank you.
kira
08-04-2009 03:55 PM
Hrm. If the LDAP browser is able to pull the user data, it's most likely that the LDAP configuration on the WSA is incorrect.
Have you double checked the values you're using for the search DN? AD doesn't allow anonymous search.
If so, you may want to file a support ticket so that they can look into this further.
08-06-2009 02:42 AM
hi Josh,
Was able to make it work..using LDAP V3.
Thanks for the help.
08-06-2009 03:41 PM
That's odd. I thought that AD supports LDAP 2 and 3. That's a good thing to know. Thanks for sharing your fix!
08-27-2009 05:34 AM
my only problem now is i had an NTLM SSO configured and the rest are LDAP.
Users who are logged in to the LDAP were not prompted for proxy password and no internet connection.
But if theyre not logged in to the domain it does work.
Im thinkin of removing the NTLM SSO since my S650 is already joined in the domain.
Any thoughts on this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide