Login
    Contenu x
    LDAP back-end authentication setup issues
    • 30 Dec 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    LDAP back-end authentication setup issues

    • Mis à jour le 30 Dec 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Description

    When using Microsoft Active Directory back-end authentication, issues can occur in the following cases:

    • The configuration involves network address translation (NAT) between OneSpan Authentication Server Appliance and the domain controller(s).
    • The Active Directory DNS server is not used, i.e. an alternative DNS server is configured in the OneSpan Authentication Server Appliance Configuration Tool.

    Possible cause

    SASL DIGEST-MD5 authentication with SPN verification

    These issues relate to the SASL Digest-MD5 LDAP authentication mechanism used by OneSpan Authentication Server Appliance and a Microsoft security concept called service principal name (SPN). Authentication with SASL Digest-MD5 is only allowed when the digest-uri parameter contains a string that is also defined as SPN on the Active Directory server.

    OneSpan Authentication Server Appliance automatically sets the digest-uri parameter by performing a DNS reverse lookup of the IP address used to contact the domain controller.

    The location of the back-end server record is 192.0.2.21.

    The DNS server used by OneSpan Authentication Server Appliance contains the following information:

    • An 'A' record: dc1.mydomain.com resolves to 192.0.2.21.
    • A 'PTR' record: 21.2.0.192.in-addr.arpa resolves to dc1.mydomain.com.

    The following steps for an authentication occur:

    1. OneSpan Authentication Server Appliance retrieves information from the back-end record and opens an LDAP connection to the domain controller.
    2. OneSpan Authentication Server Appliance performs a reverse DNS lookup for 192.0.2.21 (DNS request for 21.2.0.192.in-addr.arpa) and receives dc1.mydomain.com.
    3. OneSpan Authentication Server Appliance sends digest-uri dc1.mydomain.com along with other authentication settings to the Active Directory using the open LDAP connection.
    4. The domain controller verifies that the digest-uri parameter exists as an SPN. If it does, the authentication proceeds and credentials are verified.

    Solutions

    Both issues can be solved by ensuring that the result returned by a reverse DNS lookup of the IP address, which is used by OneSpan Authentication Server Appliance to connect to the domain controller, exists as an SPN on the domain controller. This can be achieved by configuring a 'PTR' record in the DNS server used by OneSpan Authentication Server Appliance (see example).

    For more information about configuring these settings, refer to the documentation of your DNS server.

    To verify the available SPNs on your Active Directory server, use the setSPN.exe command:

    setspn -L \windows_server_hostname

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle