Hello,
does anyone know how to set up an AD LDS to authenticate with AD accounts, such as a vSphere Appliance (VCSA)? Or other Linux-based systems?
Our Setup
- AD with Windows Server 2016, all function levels are 2016
- one forest with multiple domains
- there are several internal systems (e.g. VCSA), which are located at the internal network and which are using our AD as identity source for SSO - no problems here
Now an external service provider is to host and operate a web application for us. It is a requirement that our users can then log in via their AD accounts. For this purpose, a connection to our AD must be established. For data protection reasons, however,
we cannot establish a direct connection to our AD, because otherwise the external service provider can read the information of all users from the entire AD, even those that have nothing to do with this mentioned web application. Restricting the access rights
(denying reading access) would be extremely time-consuming or not feasible at all without a complete restructuring of our AD structures. Hence the idea of having to do that via an AD LDS.
So we have an AD with multiple domains behind a firewall. In front of the firewall is a Windows Server 2016 with AD LDS (hereinafter referred to as "LDAP Proxy"). The LDAP proxy is a member of one of the internal domains. This domain membership is
fully functional, and the appropriate rules are set up in the FW. So far no problem.
The AD proxy synchronizes selected AD accounts from the different domains and creates userProxy objects in its LDAP. So far good, no problem.
What does not work is the connection as an identity source, e.g. in a VCSA, which is also in the same subnet as the LDAP proxy in front of the FW.
When we try to set up the identity source on the VCSA, the LDAP proxy logs in the security event log:
(transaleted from german message text)
Audit Failed - Event ID 4776
An attempt was made to verify the credentials for an account.
Authentication package: ADAM_XyZ
Login account: CN=XyZuser1,OU=Benutzer,DC=XyZ,DC=ADproxy,DC=local
Workstation: 192.168.245.35:34760
Error code: 0xC000006D
The error code varies.
If we use the NT loginmname such as "domain\samaccountname" to set up the identity source, then the error code is
0xC0000064
Meaning: User login with misspelled or incorrect user account
This seems logical because the userProxy object contains the sAMAccountName, but not the NetBIOS name of the domain.
If we use the UPN such as "name@domain.tld" to set up the identity source, then the error code
0xC000006D
Meaning: This is due to either a bad user name or authentication information.
The UPN is contained in the userProxy object and the event log message also contains the correctly recognized DistinguishedName.
I tried to set up the identity source with both an account that is synchronized to the LDAP proxy, an AD account that is not synchronized, and a local account of the LDAP proxy. (all 3 are members of the Readers role in AD LDS)
What I can rule out:
- incorrect user name -- multiple attempts
- wrong password -- multiple attempts
- Missing open TCP/UDP ports -- I disabled the local firewall of the LDAP proxy for testing, and there is no other FW between VCSA and LDAP proxy.
So I'm doing something wrong. Does anyone have any idea?
E.