DNG + Authentication Proxy w/Active Directory - LDAP errors

RKGraves · March 26, 2023, 3:16am

Thanks for your help!

Attempting to move from VPN & Remote Desktop Gateway + Duo to Duo Network Gateway.

Two test deployments using Duo Network Gateway with Active Directory + Authentication Proxy as the SAML provider. Same same error noted on both in the Authentication Proxy SSO logs on both deployments.

“Failed authentication against server”, “event_type”: “ldap_query”, “query_type”: “Primary authentication”, “status”: “failed”, “server”: “192.168.14.200”, “port”: 389, “username”: “xxxxxx@citelabs.net”, “proxy_key”: “xxxxxxxxx”, “reason”: "LDAP search Failed

Troubleshooting to-date:

2 different installs, 1 on Server 2022 and 1 on Server 2019
all the built-in tests pass
error is the same for different user accounts
due diligence is searching articles & videos for a solution
for the Service Account I am using a standard user with local Administrator privileges

Any and all help is appreciated - Thank You

raphka · March 27, 2023, 11:45pm

Hi RKGraves, Welcome to the Duo Community!
I would normally advise you to reach out to Duo Support to review this case.
However in your instance I am aware you already have, as I reviewed and replied to your case my self on the 26th of March.
Please do check your email spam and spam filtering to add *.duosecurity.com to your whitelist and we can continue working on this one is your existing support case.

RKGraves · March 28, 2023, 1:38am

Raphka,

Thank You for your reply and Help! You were correct in-that my error was due to missing email attributes for the Active Directory Users. I was mistaken in thinking that with the user account being identified by their email address "user"@citelabs.net that this would sufficient for LDAP to identify the User. By adding the email attribute for each User the LDAP queries are not successful.

For other who might be following this tread I’ll paste your earlier reply below.

Thank You Also for taking the time to explain to me how to decipher the Auth Proxy Client-to-Server logs

Kind Regards,
RKGraves

**** earlier reply ****
Proxy is always on the left
C is client
S is server.

e.g.1, C->S means the proxy as a Client sent a request to your AD as the server.
e.g.2, C<-S means the proxy as a Client received a response from your DC

2023-03-25T19:14:10.898258-0700 [L■■■■■■■■■■■■■■■■■■■■,RI4MYCQO6MZOY43KTL2A,client] C->S LDAPMessage(id=21, value=LDAPSearchRequest(baseObject=‘DC=CITELABS,DC=net’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='mail’), assertionValue=LDAPAssertionValue(value=‘rkgraves@thefam.info’))]), LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value=‘objectClass’), assertionValue=LDAPAssertionValue(value=‘user’)), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value=‘objectCategory’), assertionValue=LDAPAssertionValue(value=‘person’))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value=‘objectClass’), assertionValue=LDAPAssertionValue(value=‘inetOrgPerson’)), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value=‘objectClass’), assertionValue=LDAPAssertionValue(value=‘organizationalPerson’))])]), attributes=[b’mail’]), controls=[(b’1.2.840.113556.1.4.319’, True, BERSequence(value=[BERInteger(value=5000), BEROctetString(value=‘’)]))])

2023-03-25T19:14:10.898258-0700 [duoauthproxy.lib.log#info] Got signature length 16
2023-03-25T19:14:10.898258-0700 [L■■■■■■■■■■■■■■■■■■■■,RI4MYCQO6MZOY43KTL2A,client] C<-S LDAPMessage(id=21, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=b’ldap://ForestDnsZones.CITELABS.net/DC=ForestDnsZones,DC=CITELABS,DC=net’)]), controls=None)
2023-03-25T19:14:10.898258-0700 [L■■■■■■■■■■■■■■■■■■■■,RI4MYCQO6MZOY43KTL2A,client] C<-S LDAPMessage(id=21, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=b’ldap://DomainDnsZones.CITELABS.net/DC=DomainDnsZones,DC=CITELABS,DC=net’)]), controls=None)
2023-03-25T19:14:10.898258-0700 [L■■■■■■■■■■■■■■■■■■■■,RI4MYCQO6MZOY43KTL2A,client] C<-S LDAPMessage(id=21, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=b’ldap://CITELABS.net/CN=Configuration,DC=CITELABS,DC=net’)]), controls=None)
2023-03-25T19:14:10.898258-0700 [L■■■■■■■■■■■■■■■■■■■■,RI4MYCQO6MZOY43KTL2A,client] C<-S LDAPMessage(id=21, value=LDAPSearchResultDone(resultCode=0), controls=[(b’1.2.840.113556.1.4.319’, None, b’0\x84\x00\x00\x00\x05\x02\x01\x00\x04\x00’)])

So we can see the proxy making and ldap search request to your AD for a user with the mail attribute of rkgraves@thefam.info

We can see your DC searching successfully and essentially not finding anything, even though the search is a success with a result code 0.

This tells me that most likely you do not have a user in AD with the mail value above.
Please ensure a user exists in AD with that email.

Please let me know if this helps.
Have a great day!
Kind regards,

Raphael