How to troubleshoot LDAP Authentication issues using ldp.exe
When troubleshooting issues it may be useful to test user credentials directly against the LDAP server.
There are two main ways of doing this; ldp.exe, which is included on Windows Server, and Ldapsearch utility, which can be installed on Linux. Ldapsearch replicates requests sent by the LoadMaster.
These are the credentials used in the following examples:
Domain: contoso.com
Domain-Controller: 10.110.0.150
Username: bgleeson
Password: 2fourall
LDP.EXE
First, use the ldp.exe program in Windows Server. This is most useful for testing the username/password in Bind Request.
- In the command prompt, type ldp.exe.
- In the Connect dialog box, enter the LDAP server IP address and port.
- Select Bind with Credentials as the Bind type.
To examine the connection in Wireshark, untick Encrypt traffic after bind.
Successful BIND:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='bgleeson'; Pwd=<unavailable>; domain = 'contoso.com'}
Authenticated as: 'CONTOSO\bgleeson'.
Unsuccessful BIND:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='bgleeson'; Pwd=<unavailable>; domain = 'contoso.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0
Error 0x8009030C The logon attempt failed
LDAP Search
Install ldapsearch on Linux. In this example we are using Ubuntu.
root@user-virtual-machine:~# ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -w "2fourall"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, bes
t match of:
''
# numResponses: 1
root@user-virtual-machine:~# ldapsearch -H ldap://10.110.0.150 -D "bgleeson@contoso.com" -w "wrongpassword"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0
root@user-virtual-machine:~#
# extended LDIF
#
# LDAPv3
# base <dc=contoso,dc=com> with scope subtree
# filter: (&(objectclass=user)(userprincipalname=bgleeson@contoso.com))
# requesting: memberof primarygroupid
#
# Barry Gleeson, Users, contoso.com
dn: CN=Barry Gleeson,CN=Users,DC=contoso,DC=com
memberOf: CN=Group2,CN=Users,DC=contoso,DC=com
memberOf: CN=Group1,CN=Users,DC=contoso,DC=com
primaryGroupID: 513
# search reference
ref: ldap://ForestDnsZones.contoso.com/DC=ForestDnsZones,DC=contoso,DC=com
# search reference
ref: ldap://DomainDnsZones.contoso.com/DC=DomainDnsZones,DC=contoso,DC=com
# search reference
ref: ldap://contoso.com/CN=Configuration,DC=contoso,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
and
(&(samAccountType=805306368)(|(memberOf=<group1-DN>)(memberOf=<group1-DN>)..(group<N>-DN))(userPrincipalName=<userUPN>))
2 Allowed groups: GroupA; GroupB
User: bgleeson@contoso.com
(&(samAccountType=805306368)(|(memberOf=CN=GroupA,OU=Groups,OU=RDE,DC=contoso,DC=com)(memberOf=CN=GroupB Access,OU=Groups,OU=RDE,DC=contoso,DC=com))(userprincipalname=bgleeson@contoso.com))
root@user-virtual-machine:~# ps | grep tcpdump
23646 pts/10 00:00:00 tcpdump
root@user-virtual-machine:~# kill 23646
root@user-virtual-machine:~# 32 packets captured
33 packets received by filter
0 packets dropped by kernel
[1]+ Done tcpdump -s 0 port 389 -i any -w LDAP2.pcap
total 20
drwxr-xr-x 2 root root 4096 Jul 29 2014 downloads
-rwxr-xr-x 1 root root 906 Jul 30 17:24 testscript
-rw-r--r-- 1 root root 8007 Jul 30 17:28 LDAP.pcap
-rw-r--r-- 1 root root 3801 Jul 30 17:37 LDAP2.pcap
Client Certificates.
Logon to Windows Server on customer Network
run LDP.EXE
Connection - BIND
1. define the server.
2. Bind with Credentials. The User should be that defined in the Client Cert SSO Config on Loadmaster - LDAP Administrator.
Password - Password configured on LM Domain- Domain defined
this should bind successfully.
3. Next we need to search for the User as defined in the Certificate under Subject name. e.g. userprincipalname=user.name@domain.com
BROWSE-Search
Base DN: dc=domain,dc=com
Filter: (userprincipalname=user.name@domain.com)
Scope: Base
Attributes: name;cn;