Active Directory Authentication Failure

[khánh vũ]

Hi Rafael,

We have configured two DCs that are used for our authentication, one is primary , another is backup role in case of primary fails.

As i observed that once primary becomes unavailable , our squid box does not come to backup DC to continue its authentication work and it keeps our end-users failed to connect to internet.

So can you help me understand this settings? do i need to change anything for this to work.

Hope to get your reply

Thank you.

Khanh

[rafael....@diladele.com]

Good morning, Khanh,

The DC settings are used in two places in Web Safety:

- in recommended Kerberos mode of authentication - the authentication is done *without* contacting the DC controllers - but then lookup of the user's groups is done using *both* of the DC controllers. So if one is offline the other one should work normally.

- *but* on old NTLM mode the authentication is actually done using LDAP bind with relayed NTLM credentials to the *first* DC only; and if that succeeds then again lookup of user's groups is done by *both* of the DC controllers. So yes in this case, if your first DC is offline the auth will fail. This is noted in the still open issue at https://github.com/diladele/websafety/issues/407. As NTLM authentication is now obsolete we keep postponing this issue for later :(

I would recommend using Kerberos for authentication if that is an option for you (all workstations must be joined to the domain).

Best regards,

Rafael