PfSense randomly loses connection to Azure AD Domain Service - azure-active-directory

A few months ago we switched from using on on-prem AD to using Azure AD with ADDS service.
Ever since then we are having a problem with our pfSense machine. It is configured to Authenticate through LDAP but sometimes loses connection randomly. When this happens our users can't log in and can't use the company openVPN.
Our error messages on pfSense look like this:
/openvpn.auth-user.php: ERROR! Could not bind to LDAP server Azure AD. Please check the bind credentials.
We don't see error messages on Azure side.
Did anyone have a similar experience?
We use:
pfSense 2.4.4
Azure AD Domain Services - Standard SKU

Your configurations in pfsense LDAP server settings should be as follows: -
• Hostname or IP Address = or
• Port value = 389(636 if SSL/TLS)
• Transport = TCP - Standard
• Peer Cert Authority = No CA Identified
• Protocol Version = 3
• Server Timeout = 25
• Search Scope = Entire Subtree
• Base DN = Nothing here
• Auth Containers = (CN=Users,DC=my,DC=domain,DC=com)
• Extended Query = true
Query = memberOf=CN=<AD security group>,CN=Users,dc=<my>,dc=<domain>,dc=<com>
• Bind Anonymous = false
• Bind Credentials = (domain\user + password)
• User naming attribute = samAccountName
• Group naming attribute = cn
• Group member attribute = memberOf
• RCF 2307 Groups = false
• Group Object Class = posixGroup
• UTF8 Encode = false
• Username Alterations = false
Please check your configuration once and follow the below links for more clarification on configuring your Pfsense with Azure AD: -
https://docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps
Thanking you,

Related

Azure VM SQL Server connection string

*** Apologies folks - I appended wrong code ---now replaced below here
I have a simple Visual Studio .NET web forms app. I run it on my Azure VM called dexram (Windows 10) and I also created a SQL Server on the Azure VM. There is a user on the VM called 5001211 that has admin authority in Windows. It can use SSMS to access the database no problems.
All my connection string attempts fail in the C# code. This is strange as the VS web app and the SQL Server are both running on the Azure VM.
Here are the strings I tried and the messages I got underneath:
string Server = "Data Source = dexram; Initial Catalog = FruitNVeg; User ID=5001211;Password=Fitsh3ly;";
This connection string throws an error:
Login failed for user '5001211'
string Server = "Data Source = tcp:dexram,1433; Database = FruitNVeg; User ID = 5001211#dexram; Password = Fitsh3ly; Trusted_Connection = False; Encrypt = True;";
The certificate chain was issued by an authority that is not trusted
string Server = "Data Source = tcp:dexram,1433; Authentication = Active Directory Integrated; Database = FruitNVeg;";
The certificate chain was issued by an authority that is not trusted
string Server = "Data Source = tcp:dexram,1433; Authentication = Active Directory Password; Database = FruitNVeg; UID=5001211#dexram;PWD=Fitsh3ly;";
The certificate chain was issued by an authority that is not trusted
Thanks Dan - no luck - I created as per your suggestion and made 5001211 sysadmin and got following results:
string Server = "Data Source = dexram; Initial Catalog = FruitNVeg; User ID=5001211;Password=Fitsh3ly;";
Gives -- > Login failed for user '5001211'
string Server = "Data Source = tcp:dexram,1433; Database = FruitNVeg; User ID = 5001211#dexram; Password = Fitsh3ly; Trusted_Connection = True; Encrypt = True;";
Gives -- > The certificate chain was issued by an authority that is not trusted
I am thinking I need to get a cert. created as I think (?) my SQL calls from my VS app are going out over the internet (even though the 2 tools (VS and SQL Svr) are on the same VM machine) ?
you must first create a user in sql server after use from string format below
Data Source=instanse name or use .;Initial Catalog=database bame;User ID=created user in sql server;Password=your password
and do setting below for user
User dexram\5001211 is a Windows account. Your app connection string specifies a SQL login named 5001211. You need to create a SQL login named 5001211 and an associated database user:
USE FruitNVeg;
CREATE LOGIN [5001211] WITH PASSWORD = 'Fitsh3ly';
CREATE USER [5001211];
The user will also need permissions on the objects the application uses in the FruitNVeg database. Although you could add the login to a privileged role like sysadmin to avoid granting these permissions, the best practice is to use a minimally privileged account for routine application database access that has only the required permissions:
USE FruitNVeg;
GRANT SELECT ON dbo.Apples TO [5001211];
As per this URL --> https://blog.greglow.com/2020/01/16/sql-sql-server-the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted/
I used the sql config manager and set "Trust Server Cert" to yes and that fixed the problem it seems

Azure AD: EnforceCloudPasswordPolicyForPasswordSyncedUsers does not work for existing tenant

We are currently testing the feature EnforceCloudPasswordPolicyForPasswordSyncedUsers (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature) which makes it possible for a tenant to comply to the Azure AD password expiration policy when a user password has expired.
By default, If the customer uses Password Hash Synchronization (PHS), the value DisablePasswordExpiration is set for every user. Which means that If a password is expired on-premise, the user is still able to make use of any Azure AD integrated services. Since we want them to comply the password expiration policy set in AD/AAD, we want this feature configured.
I have this feature working in a LAB environment with a demo M365 tenant.
Situation LAB: 1 AAD Connect Server - 1 M365 tenant - PHS enabled - Specific OU synced - ForcePasswordChangeOnLogOn feature enabled
When I create a new user with the feature enabled, it sets the value to DisablePasswordExpiration, when I initiate a password change on-premise it changes the value from DisablePasswordExpiration to None as expected.
Now the challenge, in the dev environment of the customer.
Situation: 1 AAD Connect Server - 1 M365 tenant - PHS enabled - Specific OU synced - ForcePasswordChangeOnLogOn feature enabled
When I create a new user, it does not have any value set. It should have the DisablePasswordExpiration set, but it doesn't. When I initiate a sync between on-prem and AAD, the value doesn't appear.
When I change the password on-prem for an existing user WITH the value DisablePasswordExpiration value set, it changes the value to "None". So in the above scenario for the feature does not work for newly created users, but does works for existing users.
The feature EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled in both cases.

Azure AD Connect and Azure AD Connection Issue

I am trying to provision users from On Premise AD to Azure AD. The firewall within my organization blocks the provisioning process. I referred the following link - https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports and referred the table 1, table 2, table 6a and 6b.
What this line states - For a list of URLs and IP addresses you need to open in your firewall, see Office 365 URLs and IP address ranges - https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_portal_ip
In this URL, is it enough to raise firewall for the URLs under - Portal and shared FQDNs, Authentication and identity FQDNs.
Also there is one more link that displays Azure data center Ip ranges - https://www.microsoft.com/en-us/download/details.aspx?id=41653
What are these IPs mentioned in Azure data center. Should I need to raise for these as well?
I am really confused. Please any one help me ?
is it enough to raise firewall for the URLs under - Portal and shared
FQDNs, Authentication and identity FQDNs.
You are correct. That's all you need for AAD Connect to work.
You don't need the specific IP ranges. They are for the FQDNs listed under the page.

Sonarqube groups along with LDAP AD groups is over-riding all membership locally configured in SonarQube

We are using LDAP plugin v1.4 & Sonarqube v4.5.7.
LDAP user configuration is working fine but if we enable group configuration it is overriding all membership locally configured in SonarQube including default local groups – sonar-users, sonar-administrators (these 2 groups are not available in Active Directory, practically tough to manage them in our LDAP setup). No new users are added to sonar-users group automatically and added users are removed when they login.
Because of this new users are not able to login to Sonar until admin configures his AD group ID he is part of in Sonar backend. Is there any solution to handle this?
Also, in this scenario,
1. Is there a way to exclude these 2 groups from AD syncup
2. How to add users automatically to sonar-users with AD group configuration
Our LDAP settings are stnadard settings available in LDAP plugin documentation.
Thanks a lot for any help on this topic.
As described in the docs (emphasis added),
When group mapping is configured (i.e the below ldap.group.* properties are configured), membership in LDAP server will override any membership locally configured in SonarQube. LDAP server becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).
To turn group mapping off, remove the ldap.group.* properties.

kinit(v5): Client not found in Kerberos database while getting initial credentials

I'm working on configuring SSO in obiee 11.1.1.7.14, where in which I'm facing issue in the step while configuring krb5.conf and executing the kinit command.
few notes regarding the Active Directory
we have more than one domain controller and to balance the request we are maintaing the load balancer with port 3269.
And the integration between obiee and MSAD is successfully done with the load balancer name as host and port as 3269.
and few certificates have been added in the demotrust.jks and to the ovd store and SSL is enabled in the new provider.
Keytab file generated and placed in obiee domain home, krb5.conf and krb5Login.conf file modified accordingly.
I have created the keytab file and placed it in the obiee domain home, then modified the krb5.conf by keeping kdc as the one of the ip address of the domain controller and admin-server as the name of the domain controller. And while executing the
kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name
i have got and error "kinit(v5): Client not found in Kerberos database while getting initial credentials" . Please share your ideas/suggestions to solve this issue.
thanks in advance
We have a Active Directory server where 2 domain controllers are used for it. And a load balancer with port 3269 is used to connect to the Active directory from OBIEE and similar connections can be used in the krb5.conf and where ever required.
And consider the base domain as DOM1 and all our groups are created under sub-domain SUBDOM. So the SPN is set at the SUBDOM.DOM1.COM.
Here are the few suggestions we have followed to integrate AD with OBIEE and Solved the most of the kinit issues
Instead of specifying the principal name with the absolute path, just mention with the accout_name#FullyQualifiedDomainName.
Changes in KRB5.conf
Since the attribute "crypto" is specified as "all" while creating keytab and setting the SPN, all the encryption types which is present in the keytab file as to be mentioned in the krb5.conf (default_tkt_enctypes and default_tgs_enctypes).
Have included the primary domain controller IP address for the attribute kdc in [realms] section, this will be same as Michael-O specified in point 2.
in [domain_realm] of krb5.conf keep as .subdom.dom1.com=DOM1.COM.
include the host name of load balancer name in the admin_server attribute of [realms] section in krb5.conf
Once all the above changes are done, most of the kinit issues would be solved and the kinit command will be executed successfully by creating the initial ticket in the desired directory.
First of all, this is serverfault.
3269 is not Kerberos, this is SSL-backed global catalog. Pure LDAP not Kerberos. Not interesting here.
Do not put KDC IP addresses in the krb5.conf but rather rely on DNS SRV records just like Windows does.
You cannot kinit with a SPN. kinit expects a UPN (from AD) from the keytab. Something like accountname$#EXAMPLE.COM if this is a machine account. Always remember, a SPN is always bound to some account, whether machine or functional.

Resources