Trying to do LDAP authentication from Active Directory

0

Hello,

I'm evaluating Loadmaster for my customer. I have deployed Loadmaster from Azure marketplace, and I am trying to authenticate users to IIS server from AD (not Azure AD, but on-prem, DC is in Azure IaaS). 

If I disable authentication from ESP options, I can access the website. However, When I try to preauthenticate users, it fails. I have monitored traffic to DC (LDAP endpoint) and it succeeds, Loadmaster gets answers. 

ESP User log shows: 

Mar 14 20:06:46 ******** l7log: 10.1.0.41:443: User ****** denied access from x.x.x.x

SSOMGR Audit Log shows:

Mar 14 20:07:03 ******** ssomgr: #40401# group_processing: Blocked access - user not in approved group SID(s) for VS [1]

I have tried both Group name and group sids, no difference. I've been banging my head into wall for an entire day - any help is greatly appreciated.

2 comments

Avatar
0
Tony Vaughan

Hello,

if you are evaluating a LoadMaster I would recommend deploying a trial instead of a free,
with a trial you will have access to support,
without more details on your setting and environment, there is very few options i can give you

just to confirm the troubleshooting so far
from what you are saying the routing is working correctly,
LDAP receives and responses correctly back to the LoadMaster

is the group on its own or is it a group within a group?
do you have the option use the option "Include Nested Groups" enabled?

Avatar
0
Vesa Takkinen

Thanks for answering. I must have missed the trial option in Azure when I deployed Loadmaster. I will probably do a re-deployment with that option to get support.

About groups, I am using a group where the members are direct members. I have also tried nested group option, and changing primary group membership. The DC is Windows Server 2016, is there something specific about it?