One specific domain user out of about a hundred fails VPN login using LDAP

We have one user at our company who can’t login to VPN. The web UI and mobile SSL VPN client both give him authentication errors.

The Firebox SSL client says “Could not download the configuration from the server. Do you want to connect using the most recent configuration?” If I select no, it fails authentication and if I select yes, it acts like it’s going to connect but hangs at “PUSH_REQUEST (status=1)” and then fails.

On the firebox, I can go to test the server connection with my username, my other admin’s user name, etc and all test successfully but this other guy, when testing his connection, it gives the error

"Connect to server: Ok (connected to x.x.x.x)

Log in (bind): Failed (user [email protected] is not authenticated[Internal error: stay too long on one state.])"

He hasn’t changed his password in a few weeks and it’s not set to expire. This weekend, I manually reset it to the same password he’s been using.

He’s in the VPN AD permissions group and he can login to everything we can think of with his domain credentials on the domain itself. The firebox is the only thing that doesn’t seem to like his account and I have no idea why.

On the web UI, if I select domain login from the drop down, it says invalid credentials. I manually created him an account on the firebox-DB server and added him to the SSL VPN users group with that firebox-db account and if if I select firebox-db authentication, his account works but I don’t know how to tell the Watchguard SSL VPN client or Open VPN (which also works for me and others but not him) how to authenticate to Firebox-DB. There is not a dropdown box for this.

I’ve checked in the Mobile VPN settings on the firewall in Authentication and his firebox-db account is there and checkbox enabled.

I guess I have 2 questions with this. What could I look at for his account specifically that would be causing domain authentication to fail when he can authenticate everywhere else on our network?

And second, is there a way to tell the watchguard VPN client to use the firebox-db authentication first?

On the authentication server settings, I see our domain at the top and then the firebox-db under that. If I move firebox-db above the domain, do users who have been authenticating via domain credentials who don’t have a firebox-db user account fail their login or does the VPN client know to move on to the next authentication server?

You can prepend Firebox-DB\

Try removing any special characters from their password and see if it works.

Yes if you reorder the auth servers, then anyone who is using domain auth would fail. They would need to prepend domain\ at that point and presumably that’s not what they were doing before

Odd issue with the password. Maybe some random edge case. Not sure I’ll be of much help with out getting hands on.

Does it not work for any location? Or just when the user is at home? Overlapping subnet?

Thanks. This worked. As long as this doesn’t turn into a widespread problem, I may be ok with this one guy’s account being busted.

No specials in his password.

yeah it happens no matter what network/WAN. My home internet, his home internet, etc.

It’s erroring out on the firebox directory test itself when I put his credentials in but mine and a few others I had test succeed.

I don’t think so. It’s a windows desktop PC setup he and myself have been testing on.

Try deleting the user and recreate him? Also what firmware is the FB? Maybe an update might fix it?

This guy is one of the execs for part of our company and is tied into who knows how many systems. I’m only a month or so in to managing this company and don’t want to mess with his account if I don’t have to.

He’s working with prepending the username with firebox-db\ so I may just leave him as is on that. If he starts having issues with the rest of his domain stuff, I may be willing to take more drastic actions.

Firewall is an M470 running version 12.8.B659436

Okay yeah good call, I don’t blame you if it’s working ATM don’t break it any worse … I would guess if you have active support WG can take a look. Just give them read only support access. Sometimes it could be something simple as a check box that needs to be checked or UN-checked. Also might want to do a stare and compare with a working account and see if something is different with his account.

If it’s a really “tied in” exec, they may be a domain admin or any list of things that are not best practice, especially if they’ve been at the company for a long time. Your workaround may be the only way to make it happen for now unless tech support has some good info for you. I also saw a bug a long time ago that if a user is a member of a ton of groups the firewall may not read all the way down to the SSLVPN group listing and fail.