Solved: Re: ad_client sspi auth_type unable to bind

sanello · ‎12-18-2024

Hello,
I am attempting to configure our ad_client parameters using SSPI as outlined in the articles below.
https://help.duo.com/s/article/6880
Authentication Proxy Reference - Duo | Duo Security
However, I am receiving the error below.

[info]  -----------------------------
[info]  Testing section 'ad_client' with configuration:
[info]  {'auth_type': 'sspi',
	 'host': 'DC01.ad.contoso.com',
	 'host_2': 'DC02.ad.contoso.com',
	 'search_dn': 'DC=ad,DC=contoso,DC=com',
	 'security_group_dn': 'CN=Access - VPN,OU=Contoso Security '
	                      'Groups,DC=ad,DC=contoso,DC=com'}
[warn]  The LDAP Client section has connectivity problems.
[warn]  The LDAP host clear connection to DC01.ad.contoso.com:389 has connectivity problems.
[info]  The Auth Proxy was able to establish a connection to DC01.ad.contoso.com:389.
[info]  The Auth Proxy was able to establish an LDAP connection to DC01.ad.contoso.com:389.
[error] The Auth Proxy was unable to bind as .
[error] Please ensure that the provided service account credentials are correct.
[debug] Exception: invalidCredentials: 8009030C: LdapErr: DSID-0C0906AE, comment: AcceptSecurityContext error, data 775, v4f7c

The proxies are running on domain joined Windows Server 2022. Service running as local system. Firewall on DC01 disabled for testing.

I do not have this issue when running the proxy with this configuration on the domain controller itself. I have verified that the SPNs ldap/DC01.ad.contoso.com and ldap/DC02.ad.fusco.com exist.

Any guidance would be greatly appreciated!

sanello · ‎12-20-2024

I've identified that the issue with validating only occurs when I'm logged into the server as local admin and running the proxy manager GUI from there. Validation passes when logged in as a domain admin account.
Tested auth with one of our applications with the DC proxy disabled and things look good.

View solution in original post

DuoKristina · ‎12-19-2024

Hmm, interesting. LDAP error 775 means account locked out. With SSPI auth it uses the machine account in AD for that domain-joined server.

Have you looked at the security event log on DC to see the corresponding login failure for more context?

If you enable debug logging on the proxy and attempt an actual auth there will be more info logged for the bind attempt.

Duo, not DUO.

sanello · ‎12-19-2024

Seeing these Audit Failures on the DC.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Administrator
	Account Domain:		ENTRA01

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	ENTRA01
	Source Network Address:	redacted
	Source Port:		49964

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

Looks like it's falling back to NTLM?
I'm still reviewing debug logs for info. I'll report here on my findings.

sanello · ‎12-20-2024

I've identified that the issue with validating only occurs when I'm logged into the server as local admin and running the proxy manager GUI from there. Validation passes when logged in as a domain admin account.
Tested auth with one of our applications with the DC proxy disabled and things look good.