Finally got it to work.... sort of. If I try VPNing into the Draytek using LDAP for auth it works only if I use the servers administrator account. any other user rejects as bad UN or PW?

Hi James,

Apologies - I've been caught up in house things (moving) and completely forgot about this.

I had a similar issue with some ASAs - but this turned out that the displayname had to equal the username - not helpful!

If you elevate a test user to server administrator can they connect?

Unfortunately I don't have an environment here that I can have a play with to try and replicate what you are getting; very frustrating as this is interesting.

I'd check the forest DSHeuristics value and then binding security for the ou.

Have you looked into using regular binding as opposed to simple on the draytek? Did you change anything to get it to work so far or just try the server admin account?

Cheers
Adam

Hi Adam,

yes, ever so frustrating. I have elevated a test user to Admin level, still without success.

I've also changed the 'displayname' on a new user to match the username, again without success. I just can't see why the builtin Administrator account works just fine.

What do I need to add in the Draytek so support regular mode?

I think I've just cracked it. You're right about the display name.

If I edit an existing user to change their display name from John Smith to JohnSmith (to match the account name) it still does not work. However, if I create a new user with the name JohnSmith and account name JohnSmith then it does work.

any way round this?

Hi James,

I'm not sure if this will work - but try changing the common name identifier field to userPrincipalName

Then have another go with authenticating using the username rather than display name.

It's likely you'll need to specify the domain after the username.

Another way would be to try samAccountName this should skip the need for the domain name - but its a legacy field (would map to pre-win2k username).

Thanks
Adam

Thanks Adam, really getting somewhere now. That worked.

However, last bug I think. If I VPN into the Draytek using some domain creds and leave the domain field blank it works just fine. If I tick the option to 'automatically use my windows logon name and password (and domain if any)' option it fails with Error 619 a connection to the remote computer could not be established