This article provides critical information to remember when working with Active Directory (AD) Integration in Exinda. Additionally, it provides troubleshooting steps to be used when collecting logs for further analysis by Exinda Support. Refer to Identify Users on the Network for more information on this topic.
Keep the below information in mind when working with Active Directory (AD) Integration in Exinda:
- The Active Directory Connector needs to be installed in each domain (on a server in the same domain where each Exinda resides).
- The server should be running at least 4.0 .NET Framework.
- Make sure the Logon Policy is enabled in the GPO (Group Policy Object), and if there are GPO conflicts, remove them and add them again.
- Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > AuditPolicy > Audit Logon Events, at least the 'Success' option should be enabled.
- Under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Logon, at least the 'Success' option should be enabled.
- Check the configuration and make sure the ports match on the AD Connector and in the WebUI.
- Verify that the Logon Auditing is being logged by navigating to Domain Controller > Event Viewer > Windows Logs > Security > Filter Event ID 4624 (or 4625, for unsuccessful login).
If Exinda and the AD are, for any reason, not synchronizing users and groups information correctly, the best way to troubleshoot is to set up an ExindaAD.log file for analysis, which needs to be done in the Windows Server where the AD Client is installed.
- Create a text file with the following XML script:
<?xml version="1.0" encoding="utf-8"?>
Off Output no tracing and debugging messages.
Error Output error-handling messages.
Warning Output warnings and error-handling messages.
Info Output informational messages, warnings, and error-handling messages.
Verbose Output all debugging and tracing messages.
<add name="ADTraceSwitch" value="Verbose" />
You can disable any of the threads (just uncomment)for debug purposes
<!--add key="DisableSOAP" value="yes"/-->
<!--add key="DisableAD" value="yes"/-->
<!--add key="DisableEL" value="yes"/-->
<add key="LogFile" value="c:\Program Files (x86)\Exinda Networks\ExindaAD\ExindaAD.log" />
- Change the name of the file to
ExindaAD.exe.config(make sure the file is not named
- Place the file in the same directory where the ExindaAD.exe file is. If you did not change the default values when installed, this directory should be in the C:\Program Files (x86)\Exinda Networks\ExindaAD directory.
- Go to services.msc and restart the ExindaAD service.
- A new file will be created called ExindaAD.log in the directory above. Wait for an hour so that the file is filled up with logs.
- Take the file and email it to Exinda Support for further analysis.
Note: the users and groups added by the Active Directory Integration cannot log into Exinda.
This integration is only for monitoring and controlling the traffic for users and groups.