Cannot Get More SSO Users

Denny Chanditya Posted 28 Aug 2023 13:38

Hi,

We have several IAG 5000 series, that setup with the SSO / MS AD Domain so the Sangfor can get username for the IP, rather than only the IP Address.
Our issue is the IAG only read several users with username on the tab Users, we was check the connectivity is OK, ask the principal and use the Mirror interface for read users list but it still cannot work properly. only few users are show

is there any troubleshooting or any test that i need to do? on other IAG was works normally it can read the users from AD.

Thanks.

Zonger has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Troubleshooting the issue of the Sangfor IAG 5000 series not properly retrieving usernames from the Active Directory (AD) for some users can involve several steps to identify and resolve the problem. Here's a systematic approach to help troubleshoot the issue:
  • Review Configuration: Double-check the configuration settings on the IAG 5000 series that is experiencing the issue. Compare it with the configurations of the IAG units that are working correctly. Ensure that the settings related to SSO and AD integration are consistent.
  • Verify Connectivity: Ensure that the IAG unit can properly communicate with the Active Directory. Test the connectivity by pinging the domain controllers and ensuring that DNS resolution is working correctly.
  • Check AD Integration: Review the integration between the IAG unit and the Active Directory. Verify that the LDAP configuration settings, including the domain name, domain controllers, and authentication credentials, are accurate.
  • Check for LDAP Issues: Monitor the IAG's logs or diagnostic information for any LDAP-related errors or warnings. LDAP authentication issues could potentially prevent the retrieval of usernames.
  • Check User Attributes: Confirm that the users for whom usernames are not being retrieved have the necessary attributes in the Active Directory. The IAG might rely on specific attributes to identify users.
  • Test with Different Users: Experiment with different user accounts to determine if the issue is specific to certain users or applies to a broader range. This can help narrow down whether it's a configuration problem or an issue with particular user accounts.
  • Check for Account Lockouts or Expiry: Verify that the affected user accounts are not locked out or expired in the Active Directory. Account status issues could prevent successful authentication.
  • Mirror Interface Configuration: Since you've mentioned using the Mirror interface, ensure that it's properly configured to capture the necessary traffic. Check for any limitations or settings that might impact the traffic monitoring process.
  • Test Different Interfaces: If possible, test using different interfaces to retrieve user information. This can help identify whether the issue is specific to the Mirror interface or is more widespread.
  • Update or Firmware Check: Ensure that the IAG unit is running the latest firmware or software updates. Sometimes, updates can address known issues or improve compatibility.

Is this answer helpful?
Zonger Lv5Posted 29 Aug 2023 13:25
  
Troubleshooting the issue of the Sangfor IAG 5000 series not properly retrieving usernames from the Active Directory (AD) for some users can involve several steps to identify and resolve the problem. Here's a systematic approach to help troubleshoot the issue:
  • Review Configuration: Double-check the configuration settings on the IAG 5000 series that is experiencing the issue. Compare it with the configurations of the IAG units that are working correctly. Ensure that the settings related to SSO and AD integration are consistent.
  • Verify Connectivity: Ensure that the IAG unit can properly communicate with the Active Directory. Test the connectivity by pinging the domain controllers and ensuring that DNS resolution is working correctly.
  • Check AD Integration: Review the integration between the IAG unit and the Active Directory. Verify that the LDAP configuration settings, including the domain name, domain controllers, and authentication credentials, are accurate.
  • Check for LDAP Issues: Monitor the IAG's logs or diagnostic information for any LDAP-related errors or warnings. LDAP authentication issues could potentially prevent the retrieval of usernames.
  • Check User Attributes: Confirm that the users for whom usernames are not being retrieved have the necessary attributes in the Active Directory. The IAG might rely on specific attributes to identify users.
  • Test with Different Users: Experiment with different user accounts to determine if the issue is specific to certain users or applies to a broader range. This can help narrow down whether it's a configuration problem or an issue with particular user accounts.
  • Check for Account Lockouts or Expiry: Verify that the affected user accounts are not locked out or expired in the Active Directory. Account status issues could prevent successful authentication.
  • Mirror Interface Configuration: Since you've mentioned using the Mirror interface, ensure that it's properly configured to capture the necessary traffic. Check for any limitations or settings that might impact the traffic monitoring process.
  • Test Different Interfaces: If possible, test using different interfaces to retrieve user information. This can help identify whether the issue is specific to the Mirror interface or is more widespread.
  • Update or Firmware Check: Ensure that the IAG unit is running the latest firmware or software updates. Sometimes, updates can address known issues or improve compatibility.

Newbie517762 Lv5Posted 30 Aug 2023 15:32
  
HiHi,

Please find below the configuration guide for your reference:

Regards,
mdamores Posted 04 Sep 2023 11:24
  
Last edited by mdamores 04 Sep 2023 11:34.

Hi,

you might be experiencing the user authentication and identification when integrating with Microsoft AD using SSO. you may try the troubleshooting steps below:

- check if your IAG device is integrated to your AD domain controller and verify if LDAP server address, port, and credentials are properly configured to connect with your AD and conduct testing
- validate if correct AD users are mapped to the corresponding IP addresses or devices in IAG config
- make sure that IAG device is using the correct AD and review SSO configuration settings.
- check if there are firewall rules or policies that currently blocks the communication between AD and IAG device. same thing goes for network connectivity.
- you may also consider updating the firmware since sometimes, outdated firmware can cause compatibility issues
RegiBoy Lv5Posted 04 Sep 2023 15:05
  
Ensure that your IAG 5000 series appliance is correctly configured to integrate with your Microsoft AD. Double-check the settings for the AD integration, including domain controllers and LDAP settings.
Ensure that your IAG appliance can resolve DNS names and communicate with the AD domain controllers. DNS resolution issues can prevent proper communication with AD.
CptArmando Lv2Posted 04 Sep 2023 15:06
  
Verify that the IAG appliance has the necessary permissions to query your AD for user information. It should have read access to the AD to retrieve user data.
MISMDS Lv3Posted 04 Sep 2023 15:07
  
Review any LDAP filters or search queries used by the IAG appliance to retrieve user information. Ensure that these filters are correctly defined to capture all relevant users. Use LDAP query tools or utilities to test the connectivity and query your AD from the IAG appliance. This can help diagnose any issues with LDAP queries.
RobertonY Lv2Posted 04 Sep 2023 15:07
  
If you are unable to resolve the issue through troubleshooting, consider reaching out to Sangfor support or your vendor for assistance. They can provide specific guidance and help diagnose the problem.
soneosansan Lv3Posted 04 Sep 2023 15:11
  
Review Configuration: On the IAG 5000 series that is having the problem, double-check the configuration parameters. Contrast it with the setups of the IAG units that are operating well. Make sure that the SSO and AD integration settings are consistent.
Fuji12 Lv3Posted 04 Sep 2023 15:12
  
Make that the IAG unit can effectively communicate with Active Directory by checking connectivity. Ping the domain controllers to check connection and make sure DNS resolution is functioning properly.
Verify AD Integration: Examine how the IAG unit and Active Directory are integrated. Check the accuracy of all LDAP setup parameters, including the domain name, domain controllers, and authentication information.

I Can Help:

Change

Moderator on This Board

1
3
5

Started Topics

Followers

Follow

Board Leaders