8.7. Windows Active Directory integration

Integration into the Windows Active Directory infrastructure is needed to seamlessly integrate in the optimization of encrypted MAPI and signed CIFS sessions.

8.7.1. The prerequisites for Active Directory integration

Before the Steelhead appliances can do this integration, they need to be joined to the Active Directory domain. Before this can happen you need to take care of several things:

  • The primary interface of the Steelhead appliance should be configured and have access to the network where the Domain Controllers are in.

  • The hostname configured on the Steelhead appliance should be 15 characters or less.

  • The hostname configured on the Steelhead appliance should not yet exist in the Active Directory configuration.

  • One of the domain names configured on the Steelhead appliance should contain the Active Directory domain name.

  • The DNS servers configured in the Steelhead appliance should be able to resolve the Active Directory domain name.

  • In DNS, the IP address of the primary interface of the Steelhead appliance needs to be available as a PTR record:

    Figure 8.30. 192.168.1.6 points to ssh-primary.example.org

    [~] edwin@t43>dig -x 192.168.1.6
    
    ; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.6
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18322
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;6.1.168.192.in-addr.arpa.      IN      PTR
    
    ;; ANSWER SECTION:
    6.1.168.192.in-addr.arpa. 3583  IN      PTR     ssh-primary.example.org.
    
    ;; AUTHORITY SECTION:
    1.168.192.in-addr.arpa.  3583   IN      NS      ns0.example.org.
    
    ;; ADDITIONAL SECTION:
    ns0.example.org.        3583    IN      A       192.168.1.1
    
    ;; Query time: 12 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Fri Oct 26 20:13:39 2012
    ;; MSG SIZE  rcvd: 142
    

  • The clock on the Steelhead appliances needs to be in sync with the clock of the AD Domain Controller. If the Domain Controllers are synchronized against the same NTP server as the Steelhead appliance, then this will be fine. If the Domain Controllers are not synchronized against NTP servers, it will be best to configure the NTP servers on the Steelhead appliances to the Domain Controller:

    Figure 8.31. NTP servers configured are the local Domain Controllers

    ntp enable
    ntp server 192.168.1.1 enable
    ntp server 192.168.1.1 version "4"
    

  • DNS should contain the LDAP SRV records for the domain to join. So if the domain is example.com, the following DNS SRV records should exist: _ldap._tcp.example.org.

    Figure 8.32. DNS SRV records for _ldap._tcp.example.org

    [~] edwin@t43>dig _ldap._tcp.example.org srv
    ; <<>> DiG 9.8.1-P1 <<>> _ldap._tcp.example.org srv
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5339
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;_ldap._tcp.example.org.         IN      SRV
    
    ;; ANSWER SECTION:
    _ldap._tcp.example.org.      600 IN      SRV     0 100 389 dc.example.org.
    
    ;; ADDITIONAL SECTION:
    dc.example.org.             3600 IN      A       192.168.1.1
    
    ;; Query time: 719 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Fri Oct 26 20:59:16 2012
    ;; MSG SIZE  rcvd: 2105
    

    This shows that the domain controllers for the Active Directory domain example.org can be found at dc.example.org.

  • Access to an Active Directory account with domain join privileges.

8.7.1.1. Possible issues during the domain join

Here are several examples of failures of the domain join.

8.7.1.1.1. Clock skew issues

If the clocks on the Steelhead appliance and on the domain controller are too far apart, the domain join will fail with the following error:

Figure 8.33. Domain join failed because of a clock skew between the Steelhead appliance and the Domain Controller

mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress...
rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ...
rcud[5610]: [rcud/main/.ERR] - {- -} Join domain failed. Failed to join domain: Error: Uns \
    pecified GSS failure. Minor code may provide more information : Clock skew too great
mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed

8.7.1.1.2. DNS related issues

If the Active Directory domain cannot be found in DNS, the domain join will fail with the following error:

Figure 8.34. Domain join failed because of DNS related issues

mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress...
rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ...
rcud[4637]: [rcud/main/.ERR] - {- -} Failed to join domain: Error: Operations error. Possi \
    ble DNS misconfiguration. 
mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed

8.7.1.1.3. Active Directory object already exists

If the object for the Steelhead appliance already exist in Active Directory and the joining account does not have privileges to replace old objects, the domain join will fail with the following error:

Figure 8.35. Domain join failed because the object in Active Directory already exists

mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress...
rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ...
rcud[14701]: [rcud/main/.ERR] - {- -} Failed to join domain: Failed to set account flags f \
    or machine account (NT_STATUS_ACCESS_DENIED)
mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed