4

I am trying to allow users of an external linux based application server to authenticate with the service using their Active Directory credentials via LDAPS. It works well for admin accounts but fails for normal user accounts.

The issue is that there is a "logon workstations" setting for users that restricts them from logging onto the Domain Controller (DC) (or rather creates a restriction that they can only log onto their assigned workstation)

The initial LDAP query is in the name of a service account works but at the point when the HTTP Authentication is carried out the LDAP service unbinds from the service account and tries to bind as the user. At this point it fails.

Is there a way around this? Is it common practice to restrict access to the DC in this way?

030
  • 5,731
  • 12
  • 61
  • 107
Sean Cull
  • 143
  • 1
  • 5
  • For those users, try adding the name of the Linux server to "logon workstations" or removing all values from "logon workstations" – Clayton Jul 02 '15 at 16:17
  • The problem is not with their ability to see the linux server but their ability to see their Domain controller. The linux server cannot authenticate them, hence the need for the LDAP to AD. – Sean Cull Jul 02 '15 at 18:16

1 Answers1

2

I would suggest to deny interactive/RDP logon to the DCs with GPO:

"Computer Settings/Security Settings/Local Policies/User Rights Assignments/Deny Logon Locally"

I've seen such problems with custom/corporate software and some Linux boxes. In these cases "Logon Workstations" should include the DC(s) in the list of allowed workstations. I suppose it's connected to the way in which these systems try to authenticate users. See an example: https://confluence.atlassian.com/display/CONFKB/Unable+to+Log+in+Because+of+userWorkstations+Attribute+in+Active+Directory

Eventually analyze Linux's logs and search for data code 531 as per https://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/

Keep in mind that the "User-Workstations" attribute has limitations: https://support.microsoft.com/en-us/kb/938458

iPath
  • 622
  • 4
  • 11
  • iPath, many thanks for your considered response. I have read it and the links and it fits with what I am seeing. I will mark it as a solution if there isn't anything better. The LDAP on the Linux side is handled by IBM Domino so the error messages are different but it would have been great if they had added the example you quote of 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893 HEX: 0x531 – not permitted to logon from this workstation – Sean Cull Jul 02 '15 at 21:44