How to configure SonicWall Active Directory integration

Hi Jean, excellent tutorial as always and appreciate you spending the time putting this together.
Ran though LDAP setup initially, working well. Then tried next step of changing over to LDAPS with import of generated certificate from root.cer file, split DNS, etc. Test to server fails with "Error connecting to LDAP server Message returned from LDAP: error:1416F086:SSL verify failed (unable to get local issuer certificate)". Rechecked setup, certificate definitely imported correctly, DNS correct and can resolve server name, rewatched video again and all correct however continues to fail.
Then after Google search found several people reporting same error and workaround was under LDPA Configuration, Settings, General Settings to uncheck "Require valid certificate from server when using TLS". Did this and now working with LDAPS.
Any thoughts on why this is required and any issue unchecking this setting?

DaleBentley-zl

Thanks you for all the videos. Some of this is so complex that I would never have figured it out on my own. I appreciate all the details. Got me up and working.

greenhouseproductions

This was incredibly useful! I am preparing to enable LDAPS, and your video confirmed I am going about it the correct way.

MicahW

Love your videos Jean-Pier! I have a question, I was told you don't want to run Certificate Authority on your Domain Controller. I feel you are very knowledgeable, can you please clarify? MUCH APPRECIATED!

garryhasty

Hi Jean-Pier,
In my case it happened with Microsoft AD itself. LDAP authorization is functional, but groups are with (MemberOf). I opened a call and I'm waiting.

marciocredes

Thanks for the video. I'm looking at Radius to sonicwall as we are limited to 250 user accounts (not licenses but user accounts) on our sonicwall. I'm confused between this and radius and if there is an advantage to this vs. radius. Thanks in advance.

boedillard

Hii. I am having issue related to access rules with ad sso groups. Only first rule is working. And if create the rule with another group and put the rule at second number. The users goes to unauthenticated user. And in bracket showing cannot get the sso with 1st rule access group.

joker_

Can we use MS 365 Azure/AD instead if we don't use a local AD server?

MichaelKnichel

Nice. Couple questions, for production use does the DC need to have another role for LDAP or best to spin off another server? Also what version of Sonic OS is this?

christianissa

I have a question for something I want to do and it's driving me crazy. There is a way to only allow domain joined computers to access the vpn? For example if an employee uses their personal computer, have the vpn to reject the connection because it's not part of out domain.

Jose

jdejoa

Jean-Pier. Hello. I have a question about 1 of the additional tips you shared. I am trying to create a rule which allow wan-lan for terminal services, with the snl in the middle validating internal groups. if i create the rule under https - then I can authenticate, but the terminal services don't work. If i create the terminal services connection but change the inbound rule (https to terminal services) I can not connect. if i allow the 'any' (w/o any type of ad group auth) for the terminal services - that works. I believe this used to work but doesn't now. is there a way to do this - use terminal services - from the wan - to a lan object, but require the snl to utilize ad integration for access? It would seem a simple thing to 'wrap' ad-auth against a inbound connection - that way the terminal server can be 'open' to the internet, but unless they authenticate the connection won't be made. thanks, mark

myscbees

Great Video. Much appreciated . I have a question. I have windows AD setup and LDAP S has been configured on firewall. Im struggling with the login page. I can see user activity however I would like for AD and Local users to be redirected to a login page before being granted access. A group has been created that will be bypassed how ever I cant seem to get login page up and running, Please advise

sabelomnisi

Hello sir, I tried exactly as you mentioned in the video.
But it does not work.
It keeps giving me the below error message when I press the test button.

"Warning! LDAP can not be enabled in FIPS mode without a valid local certificate for TLS!".

We already imported a certificate from our domain controller so not sure what the issue it.

Any help in getting this to work will be greatly appreciated.

Our firewall operates in FIPS mode.

jayshah

My current config uses local users. If I go ahead with ldap/ad will that remove the local users access? Just asking because I don't want to get rid of the local users until I know that the ldap works good

thanks

simplyforgeahead

hello community, How do I encrypt the connection between the utm and the active directory?

rayalejandrogaviriaalegria

I used your video to setup LDAP a while back, thanks for that. One strange thing that just started happening is my personal AD account is failing authentication, not allowing me to connecto thru our VPN. However...every other user in our VPN group CAN connect?! I'm perplexed! When i test my account from LDAP settings, I get authentication failed with the error 80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52f, v4f7c. I've looked that error up to no avail. Seems quite odd that it's just my account, no?!

tophrob

I'm trying to set up the AD integration with LDAP for VPN access, but the UI for this SW FW is older and where you enter the username and the location is AD, it's one cell. I entered the object location from AD and modified the last entry to the user's name but I continue to get the error: Error: Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839

Can you provide any guidance? How can I update the UI? It is a licensed product.

chrisnino

We have a SMA500v and instead of Microsoft AD we use OpenLdap. Authorization with LDAP is working but Groups are not (MemberOf). I opened a case with Sonicwall but until now they couldn’t find a solution. I don’t like that in most cases Ldap integration is based on Microsoft’s AD and not on open software.

tomlapaz

what to have present if needed that operate 2 server de AD, finally in a time one of this will disconect. and as
it affects the setting that have VPN SSL.

henrymoisesmejia

Can you pls share the process for adding Sonicwall GMS 9.3 into our existing NPS server through Radius

kumaran