Web Security - LDAP Authentication with Windows Server 2008 R2
Issue
When configuring Remote Authentication via Active Directory on Windows Server 2008 R2 the system never synchronizes.
Symptoms
- Same configuration works on Windows Server 2003.
-
The EVERYTHING.log shows an entry similar to the following:
winbindd[8111]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC has no support for encryption type
Cause
Due to increased security in Windows Server 2008, Kerberos encryption methods are disabled by default.
Resolution
*** These instructions are for an Admin user either logged into the server directly or connected to the server via remote desktop or terminal services ***
On the 2008 R2 Domain Controller that the InstaGate is connecting to, perform the following steps:
-
Open the Group Policy Management Console(GPMC)
-
Locate the Policy that is used with the Instagate
-
Right-click the policy, select Edit
-
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
-
Right-click Network security: Configure encryption types allowed for Kerberos and select Properties
-
Enable "Define these policy settings"
-
Enable all options
-
Click OK and Close the GPMC
On the InstaGate or Threatwall:
-
Navigate to Users -> Remote Authentication
-
Click Synchronize
- Confirm that groups have been imported under Users -> Groups.
Additional Information
For more information on this configuration, please refer to the following Microsoft Knowledgebase article:
