Active Directory user accounts
Has anyone tried using Active Directory over SSL (Transport=SSL Encrypted) with pfSense for user accounts/authentication? Everytime that I enable AD as an authentication server I can login and use the GUI for a few minutes and then eventually the GUI stops responding. Restarting the webconfigurator and PHP-FPM does not solve the issue. Rebooting the box allows me to login and use the web GUI again…for a few minutes.
Using it since pfsense 2.1 without any kind of problem. (using it atm on the new 2.2 build)
Authenticating against a Windows Server 2012 R2 AD with ldap over SSL enabled.
Are you sure the problem is not within your AD server?
I have 3 pfSense boxes at 3 locations each with a local AD (DC/GC) server. I get the same behavior at each location. I can log into the pfSense GUI with a local account with no problem but once I use an AD account it only works for a few minutes and the locks up the GUI. Both AD serve and pfSense are connected to the same switch at 1Gbps and both pots show flow control enabled. All AD servers pass dcdiag, no windows clients (Windows 7) report issues communicating with AD. Is there something that I can check on the AD or pfSense side that can point me to what the issue may be?
Honestly, the only thing I can think of (since I've never had any kind of problem I doubt it could be a pfsense issue), is about the number of accounts inside the User's directory you are browsing when binding to that ssl ldap server.
For example, my pfsense box binds to the AD server browsing a path like CN=ITAdmins,CN=Users,DC=domain,DC=com, which contains just the 2 domain admins. Or some kind of problem with your ssl certificate.
Did you check your AD server system logs to see if it reports anything about hangs or logon issues?
So I just had the lockup happen. I'm now wondering if its something related to OpenSSL. When I got locked out of the UI I was still able to access the internet; I also noticed that all of my VPN tunnels went down and wouldn't come back up, once again…rebooting fixed the issue. It seems like openSSL puked and everything related to SSL stops working (OpenVPN tunnels and web UI). After reboot I notice these entries in the logs:
Dec 29 22:46:41 openvpn: SIGUSR1[soft,tls-error] received, process restarting
Dec 29 22:46:41 openvpn: Fatal TLS error (check_tls_errors_co), restarting
Dec 29 22:46:41 openvpn: TLS Error: TLS handshake failed
Dec 29 22:46:41 openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 29 22:46:29 openvpn: send_push_reply(): safe_cap=940
Dec 29 22:46:28 openvpn: Initialization Sequence Completed
Dec 29 22:46:27 openvpn: [firewall1] Peer Connection Initiated with [AF_INET] xxx.xx.xx.8:48947