5

I am trying to allow users of an external linux based application server to authenticate with the service using their Active Directory credentials via LDAPS. It works well for admin accounts but fails for normal user accounts.

The issue is that there is a "logon workstations" setting for users that restricts them from logging onto the Domain Controller (DC) (or rather creates a restriction that they can only log onto their assigned workstation)

The initial LDAP query is in the name of a service account works but at the point when the HTTP Authentication is carried out the LDAP service unbinds from the service account and tries to bind as the user. At this point it fails.

Is there a way around this? Is it common practice to restrict access to the DC in this way?

030
  • 6,085
Sean Cull
  • 153
  • 1
  • 6

1 Answers1

3

I would suggest to deny interactive/RDP logon to the DCs with GPO:

"Computer Settings/Security Settings/Local Policies/User Rights Assignments/Deny Logon Locally"

I've seen such problems with custom/corporate software and some Linux boxes. In these cases "Logon Workstations" should include the DC(s) in the list of allowed workstations. I suppose it's connected to the way in which these systems try to authenticate users. See an example: https://confluence.atlassian.com/display/CONFKB/Unable+to+Log+in+Because+of+userWorkstations+Attribute+in+Active+Directory

Eventually analyze Linux's logs and search for data code 531 as per https://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/

Keep in mind that the "User-Workstations" attribute has limitations: https://support.microsoft.com/en-us/kb/938458

iPath
  • 632