Requirements for configuring Windows/Active Directory authentication for Juniper SRX VPN
The following is a checklist of items that are needed in order to configure an SRX running version 21.4 to use Active Directory to authenticate vpn users.
- IP address of the windows domain controller(s) _____________________________________________
- Create a normal user account on the domain named VPNAuth – Create a complex password. Make sure “Password never expires” is checked. This account does not need access to any file share or service. The password you assigned is: __________________
- Create a new Windows user group. Call it “VPNUsers” Anyone that needs VPN access will need to be added to this group.
- (this is a little bit more complex – but it is not difficult)
- Run the program ADSI Edit on any domain controller as a domain admin. You should find “ADSI Edit” under the Administrative tools, or you can ‘start’ – ‘run’ – ‘adsiedit’
- If you only see “ADSI Edit” in the left column (and nothing under under it) Right click on “ADSI Edit” and select “Connect to” In the popup window, keep the defaults settings and select ok
- On the left column you should see your server name. To the left of the server name there will be a small arrow. (If the arrow is not there, click once on the server name and it should appear). If the arrow is pointing to the right – click it once. It will point down and a folder will appear.
- The name next to the folder will start with “DC=” Please note the entire name of that folder and put it here:_________________
- Left of that folder there will be another arrow. (if the arrow is not there, click once on the folder) If it is pointing to the right – click once and a bunch of folders will appear under it
- The folders underneath will be named CN= followed by the name of each active directory folder in your system….including the Users folder. Most organizations put their users and groups into this folder (see steps 2 and 3 above) If you put the VPNAuth user and the “VPN Users” into this folder then click once on this folder. If you put them in a different folder, click once on that folder
- After clicking once on the CN=Users folder (or whichever folder you created the VPNAuth user and VPN Users group in) to the right of that will be a list of everything in that folder. Scroll down to “CN=VPNAuth” and RIGHT click on it – and select properties
- in the new window scroll down the “distinguisedName” if you double click on it, a new window will appear and you can highlight, copy and paste the value here: ____________________________
- click Cancel to close the Attribute window, then click cancel to close Properties window and get back to the adsi edit window
- Scroll down to “CN=VPNUsers” and RIGHT click on it – and select properties
- in the new window scroll down the “distinguisedName” if you double click on it, a new window will appear and you can highlight, copy and paste the value here (make sure you preserve any/all spaces!): ____________________________
- click Cancel to close the Attribute window, then click cancel to close Properties window and get back to the ADSI Edit window
- Close ADSI Edit
- Create a test user account for me and put that account in the “VPN Users” group so I can confirm everything is running correctly. Send me what password you assign to the test account.