Directory Connector FAQs
=== The UN LS never completes or isn't working. Why? ===
You'll need to make sure Domain Controller has the following settings:
ComputerConf > Policies > Admin Templates > System > Scripts - Run logon scripts synchronously = disabled - Run startup scripts asynchronously = enabled UserConf > Policies > Admin Templates > System > Scripts - Run logon scripts synchronously = disabled
One user solved his issue by adding the script here:
UserConf > Policies > Administrative Templates > System > Logon > Run These Programs at System Logon
- 1 What about shared IP addresses, like with a Terminal Server?
- 2 Why can I only see 1000 users?
- 3 The Active Directory Login Script is still not working - what can I do?
- 4 Does the GPMC (Group Policy Management Console) work with a 64bit OS?
- 5 Why are my Security Groups not showing up?
- 6 I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why?
- 7 Can I use the UNLS with my OSX machines?
- 8 Is this supported with all versions of Active Directory?
- 9 I don't know what to enter in the fields!
The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product called Virtual IP when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has not been tested with the login script - we'll update this entry when we have more information. Virtual IP is only available as a part of the Thinomenon Access Suite.
There is one other way to accomplish this if you are running Windows Server 2008 r2:
- On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
- In the Edit settings area, under RD IP Virtualization, double-click IP Virtualization.
- In the Properties dialog box, click the RD IP Virtualization tab.
- To enable Remote Desktop IP Virtualization, select the Enable IP virtualization check box to enable Remote Desktop IP Virtualization.
- To select the network adapter to be used for Remote Desktop IP Virtualization, in the Select the network adapter to be used for IP virtualization list, select the appropriate network adapter.
- To select the Remote Desktop IP Virtualization mode, under IP virtualization mode: Click Per session to configure Remote Desktop IP Virtualization to run in per session mode.
- If you have more than one Ethernet adapter on the server you may need to change between them back in step 5. I rebooted the server after the first tests failed but it ended up needing the other adapter.
A big thanks to Sean M. from the Untangle Community!
Why can I only see 1000 users?
Untangle can read more than 1000 users from Active Directory, however your AD server must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to send up to 5000 users:
ntdsutil.exe LDAP policies Connections Connect to server addomainname.local Quit Set MaxPageSize to 5000 Commit Changes Quit Quit
The Active Directory Login Script is still not working - what can I do?
One way to check to see if your logon script is working or not is to check the status page to view the current Username Map. If you are seeing no entries after running the script manually, edit the script and make sure the internal IP of Untangle is listed. If you're in bridge mode, make sure Administrator Alerts isn't telling you your bridge is backwards.
Does the GPMC (Group Policy Management Console) work with a 64bit OS?
Not officially - please check out this link or contact Microsoft for more information.
Why are my Security Groups not showing up?
Security Groups will not be displayed when using the Active Directory Users button in the settings, but they will be displayed when selecting users in the Policy Manager. Only Security Groups will be shown, not OUs.
I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why?
Captive Portal must go into the rack after Directory Connector to properly work - this refers to the order in which they are installed into the rack, not the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate on the Username Map.
Can I use the UNLS with my OSX machines?
While Untangle does not directly support this, one of our users has adapted some existing scrips to provide the same functionality. You can find more information on our forums here.
Is this supported with all versions of Active Directory?
For clients running the UNLS, any version of Windows XP or newer should work. For servers, please see the table below. If you're running Windows Server 2008 and you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. Microsoft has an article for enabling the feature here, however for our purposes it must be disabled. Here are the steps to disabled this setting in Windows 2008.
How to disable the server LDAP signing requirement
- Click Start, click Run, type mmc.exe, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.
- In the Select Group Policy Object dialog box, click Browse.
- In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the #Domains, OUs and linked Group Policy Objects area, and then click OK.
- Click Finish.
- Click OK.
- Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- Right-click Domain controller: LDAP server signing requirements, and then click Properties.
- In the Domain controller: LDAP server signing requirements Properties dialog box, enable # Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.
- In the Confirm Setting Change dialog box, click Yes.
You should then run gpupdate /force on the server to update the current group policy.
|AD Server OS||Support|
|Windows Server 2012||Yes|
|Windows Server 2012 Essentials||Yes|
|Windows Server 2008||Yes|
|Windows Small Business Server 2008||Yes|
|Windows Small Business Server 2003||No|
|Windows Server 2003, Standard SP2||No|
|Windows 2000 Server||No|
|Windows NT 4.0 Server||No|
I don't know what to enter in the fields!
You can use the image below to get the information directly from your server, however we highly recommend contacting your Active Directory administrator to assist you in setting this up.