Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active Directory user accounts

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    5 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adtheman219
      last edited by

      Has anyone tried using Active Directory over SSL (Transport=SSL Encrypted) with pfSense for user accounts/authentication?  Everytime that I enable AD as an authentication server I can login and use the GUI for a few minutes and then eventually the GUI stops responding.  Restarting the webconfigurator and PHP-FPM does not solve the issue. Rebooting the box allows me to login and use the web GUI again…for a few minutes.

      1 Reply Last reply Reply Quote 0
      • P
        Pakken
        last edited by

        Using it since pfsense 2.1 without any kind of problem. (using it atm on the new 2.2 build)
        Authenticating against a Windows Server 2012 R2 AD with ldap over SSL enabled.
        Are you sure the problem is not within your AD server?

        1 Reply Last reply Reply Quote 0
        • A
          adtheman219
          last edited by

          I have 3 pfSense boxes at 3 locations each with a local AD (DC/GC) server. I get the same behavior at each location.  I can log into the pfSense GUI with a local account with no problem but once I use an AD account it only works for a few minutes and the locks up the GUI.  Both AD serve and pfSense are connected to the same switch at 1Gbps and both pots show flow control enabled.  All AD servers pass dcdiag, no windows clients (Windows 7) report issues communicating with AD.  Is there something that I can check on the AD or pfSense side that can point me to what the issue may be?

          1 Reply Last reply Reply Quote 0
          • P
            Pakken
            last edited by

            Honestly, the only thing I can think of (since I've never had any kind of problem I doubt it could be a pfsense issue), is about the number of accounts inside the User's directory you are browsing when binding to that ssl ldap server.
            For example, my pfsense box binds to the AD server browsing a path like CN=ITAdmins,CN=Users,DC=domain,DC=com, which contains just the 2 domain admins. Or some kind of problem with your ssl certificate.
            Did you check your AD server system logs to see if it reports anything about hangs or logon issues?

            1 Reply Last reply Reply Quote 0
            • A
              adtheman219
              last edited by

              So I just had the lockup happen.  I'm now wondering if its something related to OpenSSL.  When I got locked out of the UI I was still able to access the internet; I also noticed that all of my VPN tunnels went down and wouldn't come back up, once again…rebooting fixed the issue.  It seems like openSSL puked and everything related to SSL stops working (OpenVPN tunnels and web UI).  After reboot I notice these entries in the logs:

              Dec 29 22:46:41 openvpn[18854]: SIGUSR1[soft,tls-error] received, process restarting
              Dec 29 22:46:41 openvpn[18854]: Fatal TLS error (check_tls_errors_co), restarting
              Dec 29 22:46:41 openvpn[18854]: TLS Error: TLS handshake failed
              Dec 29 22:46:41 openvpn[18854]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              Dec 29 22:46:29 openvpn[19405]: send_push_reply(): safe_cap=940
              Dec 29 22:46:28 openvpn[19405]: Initialization Sequence Completed
              Dec 29 22:46:27 openvpn[19405]: [firewall1] Peer Connection Initiated with [AF_INET] xxx.xx.xx.8:48947

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.