01-10-2020 02:21 PM
I am installing the Gateway Access server on a Win2019 server in a DMZ for an AnyConnect deployment. I have communication from the Duo server to the Domain controller. I created a new user account for the Duo software and tried setting the Active Directory connector in Duo to the Domain controller, but I keep getting “LDAP bind Failed” when I save the settings. The Domain Controller is SBS2011. I was able to find the attributes of the user account I created and enter the settings into the Duo software. I have used the distinguishedName attribute and the sAMAccountNAme, but still getting the LDAP error. I am using Source Type - AD with Clear transport type. What am I missing or overlooking?
01-13-2020 07:10 AM
Why not enable debug output and check the DAG log?
Please don’t post sensitive information from your debug log here.
01-13-2020 09:13 AM
I enabled the Debug and got the following:
Jan 13 17:09:08 simplesamlphp DEBUG [NA] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp INFO [2bfa1e4021] Settings changed for authentication source: duo_ad. Updated settings: array (
0 => ‘ldap:LDAP’,
‘port’ => 389,
‘enable_tls’ => false,
‘hostname’ => ‘ldap://Domain Controller’,
‘attributes’ =>
array (
0 => ‘distinguishedName’,
1 => ‘sAMAccountname’,
2 => ‘userPrincipalName’,
),
‘search.enable’ => true,
‘search.base’ =>
array (
0 => ‘CN=Users,DC=DomainName,DC=local’,
),
‘search.attributes’ =>
array (
0 => ‘sAMAccountname’,
),
‘search.username’ => ‘DomainName\duoldap’,
‘search.password’ => ‘*****’,
‘referrals’ => false,
)
Jan 13 17:09:08 simplesamlphp DEBUG [NA] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Binded session success. The user’s IP address and User Agent has not changed since last login.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Session: Valid session found with ‘admin’.
Jan 13 17:09:08 simplesamlphp ERROR [2bfa1e4021] SimpleSAML_Error_Exception: Error 2 - ldap_bind(): Unable to bind to server: Invalid credentials|Backtrace:|9 C:\inetpub\wwwroot\dag\www_include.php:87 (SimpleSAML_error_handler)|8 [builtin] (ldap_bind)|7 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php:807 (SimpleSAML_Auth_LDAP::ldap_bind_test)|6 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_ad.php:99 (include)|5 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:210 (SimpleSAML_Module::{closure})|4 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:211 (SimpleSAML_Module::includeModuleFile)|3 C:\inetpub\wwwroot\dag\modules\duosecurity\templates\admin\duo_authsource.tpl.php:62 (require)|2 C:\inetpub\wwwroot\dag\lib\SimpleSAML\XHTML\Template.php:581 (SimpleSAML_XHTML_Template::show)|1 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_authsource.php:50 (require)|0 C:\inetpub\wwwroot\dag\www\module.php:140 (N/A)
Jan 13 17:09:08 simplesamlphp DEBUG [2bfa1e4021] Error detected at shutdown: E_WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php on line 807
01-14-2020 03:04 PM
That output indicates failure to BIND with the supplied credentials. Verify that your Attributes
and Search Attributes
are correct, and that the service account username and password are also correct. Do you see the LDAP BIND attempt hit your configured domain controller host, and does the security event also indicate invalid credentials?
01-16-2020 06:56 AM
Turns out I was using the wrong attribute and user setting. When I changed the LDAP user to user@domain.loca, the LDAP connected to the AD server.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide