So I set up an Active Directory backend group. The test function authenticates just fine, but when I try to login with such a user in the user portal, it fails with 'Invalid username/password, or access denied by policy'. I've tried to follow the HOWTO by balfson, but no luck. Not sure where to proceed :(
What do you learn from the following after attempting a failed login?
grep 'caller="portal"' /var/log/aua.log|tail
Cheers - Bob
NB: I have two radius servers (the two DCs) and an AD server (one of the DCs). The two radius servers in sophos are disabled for this test. So I have this:
2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (radius) is disabled"
2019:01:23-16:12:19 gateway aua[32464]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"
I just checked the DC's security log, and there are 'audit success' not failure entries. I am experimenting right now, so the sophos VM WAN is actually on my LAN, and its LAN interface is on another subnet. So when it tries to talk to radius or AD on the DC, it goes out the WAN. I can't imagine that's at fault, as the DC *is* seeing requests. Are there any other log entries you would like?
I think also this is not specific to AD. If I disable 'adirectory' and enable either of the radius servers, I get the exact same failure. Same log snippet here:
2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (adirectory) is disabled"
2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (radius)"
2019:01:23-16:20:00 gateway aua[652]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"
The UTM log is saying that your AD server has denied authentication. Unless this is a new bug in V9.6, this has to be an issue with the DC and/or the password and/or the Backend Group and/or the Security Group in AD.
Cheers - Bob
The UTM log is saying that your AD server has denied authentication. Unless this is a new bug in V9.6, this has to be an issue with the DC and/or the password and/or the Backend Group and/or the Security Group in AD.
Cheers - Bob
That's what I thought, but then why does it print an audit failure in the AD log when i enter an explicitly wrong password? Also, I just retried the authentication test in the 'adirectory' screen and it worked, and I see this:
2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test request: m:adirectory, f:none, u:dswartz, ip:0.0.0.0, host:"
2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Testing method adirectory"
2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test successfull"
I wonder if the portal is passing something I don't expect? I am using the exact same name and password in the portal as in the authentication test, and the former fails, but the latter works. And if the problem was on the AD end, I would expect to see an audit failure message (as I do in fact see if I enter a wrong password.) Is there a way to turn up verbosity/debugging to see what the portal is doing? Thanks!
Aha, success! (sort of). I had been unable to get radius working from the portal either. Perusing of the failure log on the DC, the portal is passing an authentication type of PAP, which is insecure, so disallowed by default. As an experiment, I enabled the insecure protocols, and now, I can get to the User Portal. I obviously don't want this as a 'real solution', so I think I have to have two NPS policies on the DC: one secure one for however authenticate for an SSL VPN, and one that allows PAP, but only from the portal. Active Directory is still not working, but I think I have to declare victory and move on (although I'd love to know what the problem is...)
A few more possibilities:
Well, I'm stumped. I hadn't joined the UTM to the domain with single sign-on - didn't think that was a requirement. I have this in my two AD server configs:
BIND DN: CN=Administrator,CN=users,DC=druber,DC=com
BASE DN: CN=users,DC=druber,DC=com
Test server settings and authenticate example user both work. The portal doesn't. When I click on limit users when defining the active directory group, it shows me as list of the normal users, which I can drag to the lower pane, and it looks okay. My entry:
CN=Dan Swartzendruber,CN=Users,DC=druber,DC=com
In the above case, samAccountName is 'dswartz'. This is what I tested authentication with for both AD servers, and it works. Is this maybe not what should be going in the user portal username box?
As far as I know, if you using an Active Directory authentication server, you are expected to configure the single sign-on tab so that UTM joins the domain. I have never heard of anyone doing it otherwise, but it may be supported. Another reason to ask support for help.
You can use LDAP instead of Active Directory. It is necessary if you need to support a second, third, or fourth Active Directory domain, since UTM can only join one domain. In my experience, LDAP behaves interchangeably with AD. If want to use LDAP, review my writeup in the Wiki section for a detailed tutorial.
The key differences between the two is that an Active Directory PC creates a session using the computer account, then uses the computer account to validate the user login. In LDAP mode, the program uses a user account to log in with administrative privileges, then uses that user account to validate the other user login.
