?
Solved

Microsoft AD Ldap question

Posted on 2013-06-18
8
Medium Priority
?
478 Views
Last Modified: 2013-07-22
Hi we have a vpn that is using ldap to authenticate users but it wont work. We put our VPN users in a security group "g-web-vpn" but wont authenticate. We notice When I do a ldap query for the group attributes it has no "memberof" attribute. Is this what could be breaking it? Is this something to add in AD schema or somewhere? We are using Cisco webex vpn and mixed Windows 2003\2008 servers. Thanks.
0
Comment
Question by:Thomas N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 39256898
I am guessing you just mean WebVPN, not WebEx? There is a process in integrating with LDAP. Have you configured all of these settings?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39256902
Member/Memberof (backlink) are related

Member is for groups and user object use memberof.  Florian has a good blog entry on it here

http://www.frickelsoft.net/blog/?p=130

Thanks

Mike
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 39257067
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:Thomas N
ID: 39257070
Sorry if I missed something is there somewhere in AD I can make sure that the memberof can be queried? I read the article but I dont see where this helps me. I just need to make sure that the Cisco Webvpn can query the memberof groups on my Active directory. The ASA debug logs show that this attribute is not showing up.
0
 

Author Comment

by:Thomas N
ID: 39257084
----test account-----
[75840] Session Start
[75840] New request Session, context 0x00007ffe54aae250, reqType = Authentication
[75840] Fiber started
[75840] Creating LDAP context with uri=ldap://x.x.40.198:389
[75840] Connect to LDAP server: ldap://x.x.40.198:389, status = Successful
[75840] supportedLDAPVersion: value = 3
[75840] supportedLDAPVersion: value = 2
[75840] Binding as ASA Teleworker
[75840] Performing Simple authentication for ASA Teleworker to x.x.40.198
[75840] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=txaccess, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75840] User DN = [CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=x
,DC=net]
[75840] Talking to Active Directory server x.x.40.198
[75840] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840] Binding as vpn.test
[75840] Performing Simple authentication for vpn.test to 165.184.40.198
[75840] Processing LDAP response for user vpn.test
[75840] Message (vpn.test):
[75840] Checking password policy
[75840] Authentication successful for vpn.test to x.x.40.198
[75840] now: Fri, 14 Jun 2013 14:17:43 GMT, lastset: Sun, 29 Nov 2076 08:54:34 GMT, delta=-2002646211, maxage=1244316288 secs
[75840] expire in: -126903176 secs, 48241 days
[75840] Retrieved User Attributes:
[75840]         objectClass: value = top
[75840]         objectClass: value = person
[75840]         objectClass: value = organizationalPerson
[75840]         objectClass: value = user
[75840]         cn: value = VPN Test
[75840]         sn: value = Test
[75840]         description: value = Account used to test T VPN
[75840]         givenName: value = VPN
[75840]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75840]         displayName: value = VPN Test
[75840]         name: value = VPN Test
[75840]         objectGUID: value = .. ..FqC..}5WQ..
[75840]         codePage: value = 0
[75840]         countryCode: value = 0
[75840]         primaryGroupID: value = 513
[75840]         objectSid: value = ..............vt..s?..q5....
[75840]         sAMAccountName: value = vpn.test
[75840]         sAMAccountType: value = 805306368
[75840]         userPrincipalName: value = vpn.test@.net
[75840]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75840] Fiber exit Tx=736 bytes Rx=1790 bytes, status=1
[75840] Session End

[75841] Session Start
[75841] New request Session, context 0x00007ffe54aae250, reqType = Other
[75841] Fiber started
[75841] Creating LDAP context with uri=ldap://..40.198:389
[75841] Connect to LDAP server: ldap://.1.40.198:389, status = Successful
[75841] supportedLDAPVersion: value = 3
[75841] supportedLDAPVersion: value = 2
[75841] Binding as ASA Teleworker
[75841] Performing Simple authentication for ASA Teleworker to 165.184.40.198
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] User DN = [CN=VPN Test,OU=Test Accounts,
OU=Users,OU=Resources,DC=t,DC=net]
[75841] Talking to Active Directory server ..40.198
[75841] Reading password policy for vpn.test, dn:CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=t,DC=net
[75841] LDAP Search:
        Base DN = [ou=Users, ou=Resources, dc=t, dc=net]
        Filter  = [sAMAccountName=vpn.test]
        Scope   = [SUBTREE]
[75841] Retrieved User Attributes:
[75841]         objectClass: value = top
[75841]         objectClass: value = person
[75841]         objectClass: value = organizationalPerson
[75841]         objectClass: value = user
[75841]         cn: value = VPN Test
[75841]         sn: value = Test
[75841]         description: value = Account used to test T VPN
[75841]         givenName: value = VPN
[75841]         distinguishedName: value = CN=VPN Test,OU=Test Accounts,OU=Users,OU=Resources,DC=tx,DC=net
[75841]         displayName: value = VPN Test
[75841]         name: value = VPN Test
[75841]         objectGUID: value = .. ..FqC..}5WQ..
[75841]         codePage: value = 0
[75841]         countryCode: value = 0
[75841]         primaryGroupID: value = 513
[75841]         objectSid: value = ..............vt..s?..q5....
[75841]         sAMAccountName: value = vpn.test
[75841]         sAMAccountType: value = 805306368
[75841]         userPrincipalName: value = vpn.test@ts.net
[75841]         objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=t,DC=net
[75841] Fiber exit Tx=741 bytes Rx=2646 bytes, status=1
0
 

Author Comment

by:Thomas N
ID: 39257085
Here is the ASA logs and there is not attribute for memberof pulling up
0
 

Author Comment

by:Thomas N
ID: 39257235
Basically the Cisco VPN is not pulling the "memberof" information from our AD Ldap. So its not reading the security groups. Is there something in AD I need to check or turn on to do this?
0
 
LVL 32

Accepted Solution

by:
Rodney Barnhardt earned 2000 total points
ID: 39259991
"Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy."

You probably need to create the mapping since your users are more than likely members of various groups. Since from looking at the log you attached, I did not see any "member of" reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question