Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RDM
New Contributor

Kerberos explicit proxy ldap auth failed Erorr code 5

Hello there,

 

I'm working on my Explicit Proxy infrastructure and I need to move from the native format to a specific one for LDAP matching with kerberos ticket provided by the web browser.

 

So I configured my LDAP server to match the sAMAccountName, instead of the userPrincipalName by defaut (because of some pre-2000 login names which are different).

Here the conf I have for my LDAP :

 

config user ldap
    edit "LDAP_RDM_AD_CN"
        set server "172.28.26.50"
        set secondary-server "172.28.26.51"
        set cnid "cn"
        set dn "DC=testdomain,DC=ch"
        set type regular
        set username "CN=SVC_ldap,OU=Service Accounts,OU=***,DC=testdomain,DC=ch"
        set password ENC ******
        set secure ldaps
        set port 636
        set account-key-processing strip
        set account-key-filter "samAccountName"
    next
end

 

However when I try to browse a web page from my client machine, I have an error saying proxy refused the connection.

If I have a deeper look I can see that my kerberos check against LDAP is not working and I always end up with an [style="background-color: #ff0000;"]ERROR code 5[/style] even if the search based and the filter are rights :

 

[2254] handle_req-Rcvd auth req 255846466 for kisstest.acl@TESTDOMAIN.CH in opt=0002011b prot=10
[406] __compose_group_list_from_req-Group 'LDAP_RDM_AD_CN'
[614] fnbamd_pop3_start-kisstest.acl@TESTDOMAIN.CH
[1041] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'LDAP_RDM_AD_CN'
[1607] fnbamd_ldap_init-search filter is: samAccountName
[1616] fnbamd_ldap_init-search base is: DC=testdomain,DC=ch
[991] __fnbamd_ldap_dns_cb-Resolved LDAP_RDM_AD_CN(idx 0) to 172.28.26.50
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[565] create_auth_session-Total 1 server(s) to try
[941] __ldap_connect-tcps_connect(172.28.26.50) is established.
[815] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'CN=SVC_ldap,OU=Service Accounts,OU=***,DC=testdomain,DC=ch'
[860] fnbamd_ldap_send-sending 88 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 1
[815] __ldap_rxtx-state 4(Admin Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'DN search'
[815] __ldap_rxtx-state 11(DN search)
[592] fnbamd_ldap_build_dn_search_req-base:'DC=testdomain,DC=ch' filter:samAccountName
[598] fnbamd_ldap_build_dn_search_req-Error in ldap_search
[736] __ldap_error-
[725] __ldap_stop-svr 'LDAP_RDM_AD_CN'
[3081] fnbamd_ldap_result-Error (5) for req 255846466
[181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 255846466
[719] destroy_auth_session-delete session 255846466
[2254] handle_req-Rcvd auth req 255846467 for kisstest.acl@TESTDOMAIN.CH in opt=0002011b prot=10
[406] __compose_group_list_from_req-Group 'LDAP_RDM_AD_CN'
[614] fnbamd_pop3_start-kisstest.acl@TESTDOMAIN.CH
[1041] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'LDAP_RDM_AD_CN'
[1607] fnbamd_ldap_init-search filter is: samAccountName
[1616] fnbamd_ldap_init-search base is: DC=kisslabs,DC=ch
[991] __fnbamd_ldap_dns_cb-Resolved LDAP_RDM_AD_CN(idx 0) to 172.28.26.50
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[565] create_auth_session-Total 1 server(s) to try
[941] __ldap_connect-tcps_connect(172.28.26.50) is established.
[815] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'CN=SVC_ldap,OU=Service Accounts,OU=***,DC=testdomain,DC=ch'
[860] fnbamd_ldap_send-sending 88 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 1
[815] __ldap_rxtx-state 4(Admin Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'DN search'
[815] __ldap_rxtx-state 11(DN search)
[592] fnbamd_ldap_build_dn_search_req-base:'DC=testdomain,DC=ch' filter:samAccountName
[598] fnbamd_ldap_build_dn_search_req-Error in ldap_search
[736] __ldap_error-
[725] __ldap_stop-svr 'LDAP_RDM_AD_CN'
[3081] fnbamd_ldap_result-Error (5) for req 255846467
[181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 255846467
[719] destroy_auth_session-delete session 255846467

 

I tried to change the cnid to sAMAccountName and with the command diag test authserver ldap  everything is successful but not through my proxy/web browser.

[406] __compose_group_list_from_req-Group 'LDAP_RDM_AD_CN'
[614] fnbamd_pop3_start-kisstest.acl@TESTDOMAIN.ch
[1041] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'LDAP_RDM_AD_CN'
[1607] fnbamd_ldap_init-search filter is: samAccountName=kisstest.acl
[1616] fnbamd_ldap_init-search base is: DC=testdomain,DC=ch
[991] __fnbamd_ldap_dns_cb-Resolved LDAP_RDM_AD_CN(idx 0) to 172.28.26.50
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[565] create_auth_session-Total 1 server(s) to try
[941] __ldap_connect-tcps_connect(172.28.26.50) is established.
[815] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'CN=SVC_ldap,OU=Service Accounts,OU=***,DC=testdomain,DC=ch'
[860] fnbamd_ldap_send-sending 88 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 1
[815] __ldap_rxtx-state 4(Admin Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'DN search'
[815] __ldap_rxtx-state 11(DN search)
[592] fnbamd_ldap_build_dn_search_req-base:'DC=testdomain,DC=ch' filter:samAccountName=kisstest.acl
[860] fnbamd_ldap_send-sending 80 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 2
[815] __ldap_rxtx-state 12(DN search resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 80
[1083] fnbamd_ldap_recv-Response len: 82, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[799] fnbamd_ldap_parse_response-ret=0
[1152] __fnbamd_ldap_dn_entry-Get DN 'CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch'
[91] ldap_dn_list_add-added CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 79
[1083] fnbamd_ldap_recv-Response len: 81, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 79
[1083] fnbamd_ldap_recv-Response len: 81, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 63
[1083] fnbamd_ldap_recv-Response len: 65, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'User Binding'
[815] __ldap_rxtx-state 5(User Binding)
[437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch'
[204] __ldap_build_bind_req-Binding to 'CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch'
[860] fnbamd_ldap_send-sending 122 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 3
[815] __ldap_rxtx-state 6(User Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'Attr query'
[815] __ldap_rxtx-state 7(Attr query)
[490] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
[502] fnbamd_ldap_build_attr_search_req-base:'CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch' filter:cn=*
[860] fnbamd_ldap_send-sending 143 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 4
[815] __ldap_rxtx-state 8(Attr query resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 611
[1083] fnbamd_ldap_recv-Response len: 613, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
[799] fnbamd_ldap_parse_response-ret=0
[503] __get_member_of_groups-Get the memberOf groups.
[527] __get_member_of_groups- attr='memberOf', found 0 value
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[799] fnbamd_ldap_parse_response-ret=0
[1232] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
[882] __ldap_rxtx-Change state to 'Primary group query'
[815] __ldap_rxtx-state 13(Primary group query)
[526] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
[530] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
[548] fnbamd_ldap_build_primary_grp_search_req-base:'DC=testdomain,DC=ch' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\3f\6a\70\39\01\84\fb\57\e5\4b\ea\4f\01\02\00\00))
[860] fnbamd_ldap_send-sending 121 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 5
[815] __ldap_rxtx-state 14(Primary group query resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 110
[1083] fnbamd_ldap_recv-Response len: 112, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry
[799] fnbamd_ldap_parse_response-ret=0
[91] ldap_dn_list_add-added CN=Domain Users,CN=Users,DC=testdomain,DC=ch
[453] __get_one_group-group: CN=Domain Users,CN=Users,DC=testdomain,DC=ch
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 79
[1083] fnbamd_ldap_recv-Response len: 81, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 79
[1083] fnbamd_ldap_recv-Response len: 81, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 63
[1083] fnbamd_ldap_recv-Response len: 65, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[799] fnbamd_ldap_parse_response-ret=0
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 172.28.26.50
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-result
[799] fnbamd_ldap_parse_response-ret=0
[1350] __fnbamd_ldap_primary_grp_next-Auth accepted
[882] __ldap_rxtx-Change state to 'Done'
[815] __ldap_rxtx-state 21(Done)
[860] fnbamd_ldap_send-sending 7 bytes to 172.28.26.50
[872] fnbamd_ldap_send-Request is sent. ID 6
[725] __ldap_stop-svr 'LDAP_RDM_AD_CN'
[53] ldap_dn_list_del_all-Del CN=Kiss Test ACL,OU=Users,OU=***,OU=***,DC=testdomain,DC=ch
[2977] fnbamd_ldap_result-Result for ldap svr 172.28.26.50 is SUCCESS
[382] ldap_copy_grp_list-copied CN=ACL_SHARE_MOUNT_DATA,OU=Shares,OU=Groups,OU=***,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=ACL_CTX_VDA_ALLUSERS,OU=Groups,OU=***,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=KISS_WEBFILTERING,OU=Groups,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=ACL_SHAREFILE_USERS,OU=Groups,OU=***,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=ACL_CTX_ELLEANA_ADMINS,OU=Groups,OU=***,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=ACL_CTX_ELLEANA,OU=Groups,OU=***,OU=***,DC=testdomain,DC=ch
[382] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testdomain,DC=ch
[2991] fnbamd_ldap_result-Skipping group matching
[993] find_matched_usr_grps-Skipped group matching
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 255846462
authenticate 'kisstest.acl@TESTDOMAIN.ch' against 'LDAP_RDM_AD_CN' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=testdomain,DC=ch

 

Any idea for me ?

 

Thanks

RDM

1 REPLY 1
xsilver_FTNT
Staff
Staff

Hi,

fnbamd result code 5 is .. "error" .. unspecific, but usually coming from outer server without fnbamd's ability to decode what happened out there.

But your first fnbamd app debug shows ...

[815] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'DC=testdomain,DC=ch' filter:samAccountName [598] fnbamd_ldap_build_dn_search_req-Error in ldap_search [736] __ldap_error- [725] __ldap_stop-svr 'LDAP_RDM_AD_CN' [3081] fnbamd_ldap_result-Error (5) for req 255846466

 

.. LDAP search. I'd try to packet capture and have a look to LDAP captured query and results. Also, any log on LDAP server telling for example "user not found" ?

 

Second attempt results in ...  [181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 255846462

.. and result 0 = success.

 

Trying to strip domain and use sAMAccount name .. that account-key-filter is LDAP filter, there is probably no match. Default looks like:

set account-key-processing same set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

 

But maybe it's not possible to strip anything.

I do remember having KRB config very similar to suggested one in cookbook https://docs.fortinet.com/document/fortigate/6.0.0/handbook/926128/kerberos

and it was working with just names and not user@domain needed, and that's what you want, if I got it correctly.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors