LDAP authentication in AD (users from other trusted domain)

Oleg Volkov · ‎04-15-2015

Hi

I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
I use LDAP authentication in AD for authentication users (AnyConnect).
Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
I do not want direct connect with the domain contoller in the trusted domain.
My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
But if I try to test aaa-server authentication from ASA
I get error.
I think, I must use username like "DOMAINB\userindomainb" but this not work.
Help me please.
Thanks!

My config:

aaa-server ADA protocol ldap
aaa-server ADA (inside) host 10.0.0.1
ldap-base-dn dc=domaina, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
server-type microsoft

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

guibarati · ‎04-15-2015

The ASA will see whatever the LDAP sends to it.

on the AD for domainA on the DOS prompt try:

dsquery user -name *userindomainb"

and see if the users shows up.

if it does try chainging:

ldap-base-dn dc=domaina, dc=local

to

ldap-base-dn dc=local

If the user don't show up on the LDAP search you may have to investigate how to have LDAP list the users from a trusted domain.

Oleg Volkov · ‎04-15-2015

I try to do this, but get [-2147483586] Fiber exit Tx=325 bytes Rx=703 bytes, status=-1
[-2147483586] Session End
ERROR: Authentication Rejected: Unspecified

I try to use userPrincipalName

But, if I use base DN with my domain - dn=domaina, dc=local and test userindomaina@domaina.local

all be OK.

But if I tes userindomainb@domainb.local I get error.
I change base DN to dc=local and get error
Also I try to change base DN to dc=domainb, DC=local and also get error.....

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

guibarati · ‎04-17-2015

Are you getting the error when you use the "dsquery" command on the windows server?

Oleg Volkov · ‎04-20-2015

No.

On the Domain Controller A:

dsquery user dc=domainb,dc=local

and I see:

CN=test,OU=_service_accounts,DC=domainb,DC=local

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Oleg Volkov · ‎04-20-2015

Hello!

I see in console (debug LDAP):

Request for test@domainb.local returned code (10) Referral

Does ASA support authentication via LDAP referrals?

I read old thread:

https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification

And see: CSCsj32153 Symptom:the ASA/PIX doesn't currently support LDAP Referall searches.

But I use:

Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(3)

Compiled on Mon 15-Dec-14 05:10 PST by builders
System image file is "disk0:/asa923-smp-k8.bin"

Thanks!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog