Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3153
Views
0
Helpful
12
Replies

Auth Proxy and AD Group Membership not Working

Go to solution
Rylos
Level 1
Level 1

‎06-24-2021 09:40 AM

I’m trying to get the securty_group_dn portion of the auth proxy working, but as soon as I add it, my test user stops working. My AD configuration is very simple but I’ve also tried adding an OU with a group under it and that does not work either. I’m connecting/testing via a sonicwall TZ.

Here is what I use:
Security Group under the Users OU called “VPNUsers”
search_dn=DC=mydomain,DC=local

I’ve tried all of the following:
security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local
security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local - per the example, but assumed groups was not needed
security_group_dn=CN=VPNUsers,DC=mydomain,DC=local

I then created a “Security Groups” OU and a group under that called “VPN Users” and tried the below.
security_group_dn=“CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local”

If I remove the security_group_dn line, auth happens perfectly, I get the push etc.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rylos
Level 1
Level 1

‎06-24-2021 12:00 PM

So I did get this working, but not how I really want it to.

Found everywhere when I searched, anytime the OU or CN etc had a space, the config file had the string in quotes. I removed the quotes to the line below, and now it’s working. I remove user from the group, auth fails. I add user to group, auth success.

security_group_dn=CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local

View solution in original post

0 Helpful
12 Replies 12

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎06-24-2021 11:05 AM

The DN you specify for the value of security_group_dn should be the actual DN of the group whose members you want to permit access, whatever it actually is. If the VPNUsers group was not in a Groups OU, you would not add OU=Groups to the group’s DN.

security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local = the VPNUsers group is in the default Users container at the root of the domain.

security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local = the VPNUsers group is in a Groups OU at the root of the domain.

security_group_dn=CN=VPNUsers,DC=mydomain,DC=local = the VPNUsers group is at the root of the domain, not within a named OU or container.

Is your test user a direct member of the VPNUsers or VPN Users group (whichever group DN you specified)? Take a look at the authentication proxy log to see what is happening, enabling debug logging and trying to auth as the test user again for even more information.

Duo, not DUO.
0 Helpful

Go to solution
Rylos
Level 1
Level 1
In response to DuoKristina

‎06-24-2021 11:18 AM

This is what debug tells me. Basically says it can’t find it. I’m looking right at it in AD Users and Computers, even copy/pasted to make sure I wasn’t typing it incorrectly etc.

2021-06-24T14:13:43.803579-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C->S LDAPMessage(id=3, value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’, scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value=‘objectClass’), attributes=(‘objectsid’,)), controls=None)
2021-06-24T14:13:43.819178-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C<-S LDAPMessage(id=3, value=LDAPSearchResultDone(resultCode=32, matchedDN=‘DC=mydomain,DC=local’, errorMessage=“0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:\n\t’DC=mydomain,DC=local’\n\x00”), controls=None)
2021-06-24T14:13:43.819178-0400 [duoauthproxy.lib.log#info] Tried to search security group DN for object sid but it could not be found. Falling back to just checking memberOf. Error: CN=VPNUsers,OU=Users,DC=mydomain,DC=local could not be found

0 Helpful

Go to solution
Rylos
Level 1
Level 1

‎06-24-2021 12:00 PM

So I did get this working, but not how I really want it to.

Found everywhere when I searched, anytime the OU or CN etc had a space, the config file had the string in quotes. I removed the quotes to the line below, and now it’s working. I remove user from the group, auth fails. I add user to group, auth success.

security_group_dn=CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Rylos

‎06-24-2021 12:04 PM

So I did get this working

Good! Yes, no quotes needed in the DN; if your log output had reflected this I could have called that out.

but not how I really want it to…
I remove user from the group, auth fails. I add user to group, auth success.

This is exactly what it is supposed to do.

Duo, not DUO.
0 Helpful

Go to solution
Rylos
Level 1
Level 1
In response to DuoKristina

‎06-24-2021 12:06 PM

Yeah, this is what I want it to do. I just wanted to not have to use a separate OU with a security group under it. For some reason, it will not validate group membership if the group is under the Built-In Users OU. I tried everything including copying the DN directly from the ldp program on my domain controller.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Rylos

‎06-24-2021 12:56 PM

it will not validate group membership if the group is under the Built-In Users OU

This isn’t expected and I just verified that it works (I created the group group in the Users container).

2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=6, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=local', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:53:42.757778+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=local', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=LDAPSearchResultDone(resultCode=0), controls=None)
Duo, not DUO.
0 Helpful

Go to solution
Rylos
Level 1
Level 1
In response to DuoKristina

‎06-24-2021 12:58 PM

When I did that with CN=VPNUsers,CN=Users it was allowing auth no matter if they were in the VPNUsers group or not. I assume it’s matching on Users.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Rylos

‎06-24-2021 01:07 PM

Hmm, I would suggest you look at your config again because it works as I expect when I try a user not in the group and the group located in the built-in Users container.

I took myself (kristina) out of my group group and am denied as expected (no search result when it tries to match on memberof).

2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=11, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=corp', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=corp', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=12, value=LDAPSearchRequest(baseObject='dc=acme,dc=corp', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='sAMAccountName'), assertionValue=LDAPAssertionValue(value='kristina'))]), LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='memberof'), assertionValue=LDAPAssertionValue(value='CN=group,CN=Users,DC=acme,DC=corp')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='primarygroupid'), assertionValue=LDAPAssertionValue(value='46711'))]), LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))])]), attributes=('msds-PrincipalName',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://ForestDnsZones.acme.corp/DC=ForestDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://DomainDnsZones.acme.corp/DC=DomainDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://acme.corp/CN=Configuration,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#error] Could not find user with username: kristina. It's possible this user does not exist or did not match your configured security filters.

Also might be worth pointing out that the group DN in the example log output you shared isn’t valid:

value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’,

It should have been CN=Users and not OU=Users if this is intended to be the AD built-in Users container.

Duo, not DUO.
0 Helpful

Go to solution
Rylos
Level 1
Level 1
In response to DuoKristina

‎06-24-2021 01:08 PM

Correct, I found this out when copying the data from ldp on my domain controller. I’ll give it another shot and report back.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Rylos

‎06-24-2021 01:11 PM

OK, cool. You can also see the distinguishedName attribute value from ADUC on the object’s properties Attribute Editor tab if you go to View > Advanced Features (if you get tired of switching between ADUC and LDP).

Duo, not DUO.
0 Helpful

Go to solution
Rylos
Level 1
Level 1
In response to DuoKristina

‎06-24-2021 01:14 PM

So things are working as expected now. I’m not exactly sure what it was that was blocking it, but it’s fixed and I can copy/reproduce this now without much effort. Thanks for the sanity check and assistance.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Rylos

‎06-24-2021 01:17 PM

Glad you got it working!

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents