search cancel

Client Site Proxy (CSP) domain doesn't match the LDAP domain

book

Article ID: 161539

calendar_today

Updated On:

Products

Web Security.cloud

Issue/Introduction

You are using the Client Site Proxy for your Web Security.cloud services and it is indicating a different domain than expected.  You may notice that Web Security.cloud URL Filtering rules based on groups do not apply correctly.  This also assumes that you are using the Schemus LDAP Synchronization Tool to synchronize your User/Group data with the Symantec.cloud portal.

Cause

Windows 2000 onwards maintains 2 different domain names: a "pre-windows 2000" domain name (a legacy of Windows NT), and an Active Directory domain name. The latter is generally a DNS name. When you install Windows 2000 or 2003 Server you get to choose both of these; if you upgrade from NT you don’t get to choose the pre-2000 name, but you do get to choose the Active Directory domain name. Usually if you are upgrading from NT with an NT domain name of NTDOM, then your Active Directory name will be something like "ntdom.com". Similarly, if you are installing from scratch and select an Active Directory domain name of "ad-dom.com" then your proposed pre-2000 name will be "AD-DOM". But this doesn’t have to be the case, you can change the default in either case.

In Active Directory, every user effectively has 2 names for their account - the pre-2000 one and the native Active Directory one. Usually these will be (to use generic examples) "DOMAINuser" and "[email protected]". But if you have not accepted the defaults when installing or upgrading (as described above), then your two names could be "NTDOMuser" and "[email protected]".

The default Schemus settings assume you are using the default Active Directory names, (i.e. that the pre-2000 and Active Directory domain names are the same). If you’re not, then you can run into trouble. The key thing is that the CSP uses the NTLM authentication protocol, and NTLM always uses the pre-2000 account name to authenticate (e.g. "NTDOMuser"), so even if you logged into your machine as "[email protected]" when you authenticate with the CSP your browser will send "NTDOMuser" as the username.

More information can be found in this Microsoft TechNet article.

Resolution

The first step is to obtain the CSP access logs to confirm the domain in the Symantec.cloud portal does not match the domain in the access logs.

To fix this you need make a configuration change within the Schemus configuration. In the "Name template" field on the Schemus LDAP "Search" tab make the following change:

From: %DC[-1]%\\%sAMAccountName%
To: yourdomain\\%sAMAccountName%