Gateway Server getting LDAP bind failed

EricR1 · ‎01-10-2020

I am installing the Gateway Access server on a Win2019 server in a DMZ for an AnyConnect deployment. I have communication from the Duo server to the Domain controller. I created a new user account for the Duo software and tried setting the Active Directory connector in Duo to the Domain controller, but I keep getting “LDAP bind Failed” when I save the settings. The Domain Controller is SBS2011. I was able to find the attributes of the user account I created and enter the settings into the Duo software. I have used the distinguishedName attribute and the sAMAccountNAme, but still getting the LDAP error. I am using Source Type - AD with Clear transport type. What am I missing or overlooking?

DuoKristina · ‎01-13-2020

Why not enable debug output and check the DAG log?

Please don’t post sensitive information from your debug log here.

Duo, not DUO.

EricR1 · ‎01-13-2020

I enabled the Debug and got the following:

Jan 13 17:09:08 simplesamlphp DEBUG [NA] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp INFO [2bfa1e4021] Settings changed for authentication source: duo_ad. Updated settings: array (
0 => ‘ldap:LDAP’,
‘port’ => 389,
‘enable_tls’ => false,
‘hostname’ => ‘ldap://Domain Controller’,
‘attributes’ =>
array (
0 => ‘distinguishedName’,
1 => ‘sAMAccountname’,
2 => ‘userPrincipalName’,
),
‘search.enable’ => true,
‘search.base’ =>
array (
0 => ‘CN=Users,DC=DomainName,DC=local’,
),
‘search.attributes’ =>
array (
0 => ‘sAMAccountname’,
),
‘search.username’ => ‘DomainName\duoldap’,
‘search.password’ => ‘*****’,
‘referrals’ => false,
)
Jan 13 17:09:08 simplesamlphp DEBUG [NA] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp ERROR [2bfa1e4021] SimpleSAML_Error_Exception: Error 2 - ldap_bind(): Unable to bind to server: Invalid credentials|Backtrace:|9 C:\inetpub\wwwroot\dag\www_include.php:87 (SimpleSAML_error_handler)|8 [builtin] (ldap_bind)|7 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php:807 (SimpleSAML_Auth_LDAP::ldap_bind_test)|6 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_ad.php:99 (include)|5 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:210 (SimpleSAML_Module::{closure})|4 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:211 (SimpleSAML_Module::includeModuleFile)|3 C:\inetpub\wwwroot\dag\modules\duosecurity\templates\admin\duo_authsource.tpl.php:62 (require)|2 C:\inetpub\wwwroot\dag\lib\SimpleSAML\XHTML\Template.php:581 (SimpleSAML_XHTML_Template::show)|1 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_authsource.php:50 (require)|0 C:\inetpub\wwwroot\dag\www\module.php:140 (N/A)
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Error detected at shutdown: E_WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php on line 807

DuoKristina · ‎01-14-2020

That output indicates failure to BIND with the supplied credentials. Verify that your Attributes and Search Attributes are correct, and that the service account username and password are also correct. Do you see the LDAP BIND attempt hit your configured domain controller host, and does the security event also indicate invalid credentials?

Duo, not DUO.

EricR1 · ‎01-16-2020

Turns out I was using the wrong attribute and user setting. When I changed the LDAP user to user@domain.loca, the LDAP connected to the AD server.
Thanks for your help.