-
Title
Management Portal login error: "Make sure that the Active Directory functions correctly, and the machine with Defender Management Portal is able to reach a domain controller." -
Description
When attempting to log into the Management Portal there is an error message showing: "Make sure that the Active Directory functions correctly, and the machine with Defender Management Portal is able to reach a domain controller." -
Cause
wire shark packet captures shows the domain that Defender server is running is in a primary domain. But the AD network is configured to forward DNS lookup requests to a DNS server in a different domain, when it receives an invalid lookup.An Invalid lookup is a name without a suffix. For example if you'd do a lookup for just [DomainName] (one of the AD servers) instead of the correct way of [DomainName].Domain.local, it would forward this request to a DNS server outside of the domain.In the packet captures it can be found that during the login procedure to the Defender Management Portal, it tries to do a lookup to [DomainName], instead of [DomainName].Domain.local.Therefore the request is being forwarded to a DNS server on a different AD domain, in which the Administrator login fails. -
Resolution
Please try the below workaround on the customers environment.
1. The default behavior for group membership validation process can be modified. This is configured by uncommenting the following line within Web.config
Change the line
<!--<add key="authz_group_lookup_as_logged_on_user" value="true"/>-->
to
<add key="authz_group_lookup_as_logged_on_user" value="true" />2. The number of days for which authentication details retrieved in the “Authentication” tab on the Helpdesk page can be configured by creating a new registry key as follows: In the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\Defender\Web Interface key, create a DWORD value “AuthenticationDataWindowDays”. Set the decimal value to the required number of days, set the 1.
3. The Active Directory Global Catalog server can be specified in the Web.config configuration file. If configured, all LDAP queries will then be directed to this GC server. Uncomment the below and provide the IP/FQDN of Active Directory Global Catalog server in the value field <!--<add key="RemoteDC" value="ip address or dns name" />-->
For example, change the line<!--<add key="RemoteDC" value="ip address or dns name" />-->to<add key="RemoteDC" value="192.168.0.1" />-->The key thing is to ensure that the "RemoteDC" setting points to a global catalog server.
Explicitly setting our secondary DC appears to have resolved the problem. It is possible that there may be an inconsistency on how multiple DCs are configured. Confirm the configuration of each DC to match, and then reconfigure Defender to again point to it, the performance should improve.
Restart IIS and test.