Jump to content


Photo

how is your experience with user authentication?

ts client dc client DC agent TS agent user authentication

  • Please log in to reply
2 replies to this topic

#1 Manuel Huber

Manuel Huber
  • Members
  • 138 posts

Posted 14 September 2018 - 01:56 AM

Hello,

we are having great issues to get user authentication running reliably (DC Client, TS Client) for over one and a half years.

One bug gets fixed, another appears.

It seems to work ok in small environments with a few hundred users, but despite all efforts, it´s still unusable in other setups. I have the impression it might be related to size (number of users / terminal servers).

I wonder if only our different setups are affected or if other people have made such experiences as well.

Thank you!



#2 Tomasz Dymek

Tomasz Dymek
  • Members
  • 2 posts

Posted 14 September 2018 - 02:47 AM

Usually, during the day, I have somewhere between 1500 and 2500 users logged in from AD and 30-50 from terminal server. The Active directory Integration in one of few things which work well enough on barracuda. I have 3 domain controllers connected.



#3 Manuel Huber

Manuel Huber
  • Members
  • 138 posts

Posted 13 November 2018 - 06:58 AM

Update:

 

Regarding DC Agent Authentication:
We received a new version of DC Agent and for a few weeks it seems to work reliably now. The problem here was that DC Agent, installed on a separate server because the Domain Controllers are Windows Core versions, seemed to cause a memory leak on the DCs. The workaround of this testing version of DC Agent is to terminate and establish the WMI connection to the DC servers every hour, thus no longer causing memory leaks.

 

Regarding TS Agent Authentication:
We received new phionnet_phibs binary to install on the firewalls, which made the TS Agent connections more stable.

 

However, we still had one major outage afterwards when suddenly all users authenticated by TS Agent stopped being available on the firewall. None of the ~80 terminal servers were able to get their users to the affected firewalls because the TS client somehow no longer accepted anything.

Interesting fact: according to the GUI (Firewall - Users) user were still authenticated including all their MSAD groups, but in fact not used on the firewall. Live/History view showed no user information.

In this case, restarting phibs several times helped. Restarting only once didn´t help.

 

Prior to getting the updated binary, we also had situations that only deleting the auth.db in /opt/phion/preserve helped, which also terminates users authenticated by DC Agent. I´m not sure if this is solved now or we are just lucky so far.

 

Authentication is such a basic feature of a NG firewall that we are not quite satisfied with the stability yet. We hope Barracuda will invest more time to improve it, because currently there is a risk of complete outages.

 

It is also a problem that support couldn´t tell us how to handle such a situation. Restarting phibs is no big deal, if it really helps. But if the auth.db is broken, then it seems the only solution is to manually delete it, which requires all users to login again.