My wildfire server (currently running the latest v. 3.1) has been authenticating via RADIUS for about 3 months now… everything runs smoothly. I just recently attempted to integrate Norman’'s SASL/SSPI to use single sign-on with Pandion clients. When I attempt to use the integrated windows authentication I get the following debug error on the wildfire server:
I’‘ll take a look at the SSPI Workbench as you suggested… I figured I’'d throw this additional info out first though:
There are 2 domains involved. Domain ABC contains 95% of the users. We don’'t control this domain. We have a domain XYZ that has a 2-way trust with ABC… therefore, most of our client machines are part of the XYZ domain but can select domain ABC from the windows login and use their ABC credentials. (hopefully that made sense) The RADIUS (steel belted radius) server is also part of the XYZ domain, however, because of the trust between ABC and XYZ, can authenticate users in the ABC domain. The wildfire server is also part of XYZ. Since it sends authentication requests to the RADIUS server, users of ABC can login successfully.
So… the client machine is part of XYZ, however, the user that logged into Windows selected the ABC domain at login and supplied their ABC credentials (authentication is sent to XYZ domain controllers and then up the trust to ABC).
In the section of wildfire.conf I have tried both ABC and XYZ.
Does this shed any light as to what might be causing the error?
Mmm, try running the workbench client on the machine that you’‘re running pandion from. Run the server side on the wildfire server. I’'m not sure how cross-domain trust works, nor how RADIUS works
If you can get SSPI Workbench working in NTLM mode, then you’'ve got a good chance that the Wildfire SASL-SSPI bridge should work correctly. (btw: Have you tried a client logging in as a XYZ domain user?)
I upgraded to the latest 3.1.1 and decided before upgrading that I would wipe my current settings (since this a test box) and start from scratch. Long story short… the single sign-on is working now. I’'m not really sure what I did different. The only big difference was the upgrade to 3.1.1.
I’'m running 3.1.0 still (3.1.1 was released the day after we rebuilt our server). My guess is still that there was some other authentication issue that was causing the failure. (e.g: something like Group Policies that denies log on the server)