+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Cachepilot and AD integration in Technical; Has anyone got a cachepilot to authenticate users from AD? We have a cachepilot 4.1 and have tried to set ...
  1. #1

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18

    Cachepilot and AD integration

    Has anyone got a cachepilot to authenticate users from AD?

    We have a cachepilot 4.1 and have tried to set up the authentication using AD or LDAP. It binds to the domain OK and we've set up the users and groups etc as specified in the instructions.

    However, all the user gets is a long delay, and then a windows username dialogue box. No matter what credentials are in it stays at that point.

    Nothing shows in the cachepilot logs - apart from the sucesseful bind message!

    Equiinet weren't much help - they basically gave up on us. Its a bog standard Windows 2003 server domain so nothing weird!

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Is the time sync'd between AD and the cachepilot?

  3. #3


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148
    You need a global security group in AD with all the appropriate users in it.

    You then create a user in cachepilot with the exact same name as the group you have created above (use all lowercase to simplify things and do not use any spaces or special charachers).

    iirc thats it.

  4. #4

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    Time synch'd correctly.

    Global security group with same name as cachepilot user set up.

    Still no joy! I've been trying this for months now and have deleted and recreated the users/groups several times to make sure.

    Did you use AD or LDAP to authenticate? I've tried both.
    Last edited by GoldenWonder; 6th October 2008 at 01:17 PM.

  5. #5


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148
    Quote Originally Posted by GoldenWonder View Post
    Time synch'd correctly.

    Global security group with same name as cachepilot user set up.

    Still no joy! I've been trying this for months now and have deleted and recreated the users/groups several times to make sure.

    Did you use AD or LDAP to authenticate? I've tried both.
    AD. Worked first time, no problems at all which is an absolute miricle for cachepilot. We're had dodgt cachepilots in the past, maybe yours in the same as you cant really go far wrong when setting up AD intergration

    Do you have 2 domains btw? If you do give me a shout once you get this bit working as there are issues with users having long names (and by long i mean more than 20 charachers including the domain name)

    Our details are as follows;

    Server address: the IP of the DC
    Domain: domain.local (Maybe the local bit is the problem??)
    User: basic user with no rights other than teh ability to query AD.
    Last edited by j17sparky; 6th October 2008 at 01:35 PM.

  6. #6

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    Equiinet say the box is fine

    We have a single domain - pretty straightforward setup really. The cachepilot logs show the bind works so I guess the details for DC and user account are OK (I've tried a limited user account and an Admin account with the same result)

    Haven't tried the .local on the domain name, I've been using the domain.org.uk FQDN version and the cachepilot gets the short version itself.

    As you say, theres not much else to do!

  7. #7


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148
    Quote Originally Posted by GoldenWonder View Post
    Equiinet say the box is fine

    We have a single domain - pretty straightforward setup really. The cachepilot logs show the bind works so I guess the details for DC and user account are OK (I've tried a limited user account and an Admin account with the same result)

    Haven't tried the .local on the domain name, I've been using the domain.org.uk FQDN version and the cachepilot gets the short version itself.

    As you say, theres not much else to do!
    I only said .local as thats what ours is. If your domain is a valid FQDN then yeah you should be using that.

    Maybe you should take a magnet to the HD so that they are forced to reinstall for you. We, and other schools, have had numerous problems which equinet replyed with "not our fault boss", only for us to later discover it was their fault.

  8. #8

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    Tempted to take the magnet approach!

    But without the internet the teachers could not teach

  9. #9

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    Did anyone else set delegation rights on the cachepilots AD object?

    I notice the DC has a load of the following errors when binding to the domain:

    Event Type: Error
    Event Source: KDC
    Event Category: None
    Event ID: 27
    Date: 06/10/2008
    Time: 16:23:09
    User: N/A
    Computer: <server>
    Description:
    While processing a TGS request for the target server host/<cachepilot>-web.<domain>, the account <cachepilot>-WEB$@<domain> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 2. The accounts available etypes were 23 -133 -128 3 1.


    If I set the cachepilots object to allow delegation for Kerberos these errors disappear, but it still fails to authenticate!

    Any more of this and its going out of the window, and a nice new ISA server will take its place....

  10. #10

    Join Date
    May 2009
    Location
    UK
    Posts
    107
    Thank Post
    3
    Thanked 10 Times in 10 Posts
    Rep Power
    12
    the cachepilots wont work unless you have a FQDN as ive found out 1 of my schools doesn't have a '.local' after its name so we have to build a new domain.

  11. #11

    Join Date
    Dec 2008
    Posts
    197
    Thank Post
    7
    Thanked 32 Times in 18 Posts
    Rep Power
    18
    Using LDAP here with the following setup in two schools:

    CachePilot

    Groups

    SiteCode_Students
    SiteCode_Staff
    SiteCode_Open
    etc

    Users

    Internet_Students
    Internet_Staff
    Internet_Open
    etc

    Groups set up first and then user matched to most appropriate group.

    LDAP configured:

    Server IP: 10.x.x.x
    User Dir: OU=Establishments,DC=schoolname,DC=internal
    User: CPAdmin,OU=CP
    Pass:

    Web Access: authorised users; url-filter

    AD Side

    Security groups set up to match CachePilot Users with Establishments\SiteCode

    Users

    Internet_Students
    Internet_Staff
    Internet_Open
    etc

    Then obviously network users are members of the appropriate groups.

    AD Structure

    |schoolname.internal
    -Establishments
    --SiteCode
    --CP

    CPAdmin is a member of the OU=CP at the same level as SiteCode with just Domain Users membership. Password same as in CachePilot LDAP settings.

    If your cachepilot already runs off schoolname.internal the same as your network then this should just work a treat. If not you could always get it changed to that - two minute job (unless you have to wait around for your lea to do it).

    In which case you're probably on schoolname.local so you need to do some DNSing:

    DNS

    Under Foward Lookup Zones create a new zone called 'local' then a new domain called *the bit before .local (whatever your CachePilot prompts with on authentication)* then within that domain create an A record named cachepilot pointing to the cachepilot IP Address.

    Hope this helps you get it working.

SHARE:
+ Post New Thread

Similar Threads

  1. New OD-AD integration paper.
    By HodgeHi in forum Mac
    Replies: 13
    Last Post: 16th May 2011, 10:09 AM
  2. Macs integration-where to next?
    By HodgeHi in forum Mac
    Replies: 0
    Last Post: 19th November 2007, 12:49 PM
  3. Lanview AD integration
    By Andi in forum Network and Classroom Management
    Replies: 2
    Last Post: 15th June 2007, 02:30 PM
  4. SIMS AD Integration
    By mark in forum MIS Systems
    Replies: 3
    Last Post: 11th November 2006, 12:24 PM
  5. Service Pack Integration
    By zippy in forum How do you do....it?
    Replies: 13
    Last Post: 13th December 2005, 10:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •