Trouble Authenticating with SonicWall NetExtender for One User in AD Group

By
Aaron Garnes
-
0
0
Asked By TechieTurtle42 On

I'm having an issue with a SonicWall NetExtender setup where VPN access is linked to an Active Directory (AD) security group. Most users in the group can connect without any problems, but one specific user is hitting a wall with a "User cannot authenticate" error. I've confirmed they are in the same AD group, their account is active, and they share the same group memberships as the successful users. AD replication seems fine and their account appears correctly on the SonicWall. I even ran an LDAP test on the firewall with their credentials, and it passed. I'm stumped as to why this one user is the only one facing authentication issues. Could this be related to group membership caching, tokens, or some quirk with the SonicWall? Any insights or fixes would be greatly appreciated!

6 Answers

Answered By TimeKeeper77 On

Also, try to pinpoint when the error occurs. If it happens when they enter the 2FA code, check the time settings on their local machine compared to the SonicWall. Time discrepancies can lead to authentication failures.

Answered By SonicExpert21 On

I remember having similar issues before, and it turned out that tweaking the default groups in AD resolved my authentication problems with NetExtender. It’s worth looking into.

Answered By CloudyGuru99 On

You might want to check for any login restrictions on the user’s profile in AD. It could be a simple fix that prevents them from authenticating properly.

Answered By CuriousCatX On

This might sound a bit silly, but have you checked how many licenses are available on the SonicWall? I ran into a similar issue once where all the SSL licenses were maxed out, which caused authentication failures.

Answered By LogMaster007 On

What does the SonicWall logs show? Sometimes the logs can provide insights into what might be going wrong during the authentication process.

Answered By NetworkNerd88 On

Make sure to double-check the user's group memberships in AD. Specifically, browse directly to their account under AD and check the Dial-in tab. If you’re using Remote Server Administration Tools (RSAT), you might not have access to see it, so it’s best to do this on the Domain Controller using Active Directory Users and Computers (ADUC). Sometimes the settings can differ when you search for a user instead of browsing directly to their object.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.