Permitted Groups not working with Active Directory

0

Hi,

I have spent the last 3 hours trying to configure the permitted groups on the Kemp Loadmaster which serves as a reverse proxy for our Exchange Server 2016. The goal should be that only a certain user group can access the Exchange Server 2016 via the internet and the Kemp.

For this purpose I have created a group in the Active Directory called Test1 and added some test users directly, not through another group. In the next step I entered the name of the group (Test1) in the field "Permitted Groups" on the Virtual Service "Exchange 2016 HTTPS Offloaded with ESP - Authentication Proxy". Then I tried to log on to OWA with a user from group Test1. The login fails despite correct credentials and I have the following information in the log "System Message File" (with activated trace):

2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# group_processing: chk_sids = 0, chk_allowed_groups = 1, chk_steering_groups = 0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# domain=|contoso.de| baseDN=|dc=contoso,dc=de|
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupFilter: >> basedn=|dc=contoso,dc=de| vid=|2|
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: >> basedn=|dc=contoso,dc=de| groupname=|Test1|
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: filter=|(&(objectClass=group)(cn=Test1))|
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: ldap_search_ext():rc=0(unknown),basedn=dc=contoso,dc=de,scope=2,filter=(&(objectClass=group)(cn=Test1)),attrs=dn,attrsonly=0,msgid=2
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: ldap_result(): rc2=101 (search-result)
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: ldap_result(): rc=0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: <<< - rc=0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupFilter: << vid=|2| groupfilter=|(memberOf=)|
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# do_check_group: attrs[0]=|userprincipalname| filter=|| tout:5
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# do_check_group: ldap_search_ext(): rc=0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# do_check_group: ldap_result(): rc2=101 (search-result)
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# do_check_group: ldap_msg: msgid=3 type=101 (search-result)
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# do_check_group: user not in group(s) for VS
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# group_processing: Blocked access - user not in approved groups for VS [2]
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# <<<group_processing: completed group processing for do_sso_ldap_check, groupOK=0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# << do_sso_ldap_check: bindrc:50 groupOK:0 ecpexpwdays:0 maxPwdAge:0
2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# Couldn't bind: [contoso.DE] [192.168.1.1 192.168.1.2]: 50, Insufficient access

The LDAP filter for searching for the group is created correctly:

(&(objectClass=group)(cn=Test1)

Also the query seems to have been executed correctly, the Return Code (RC) is 0:

2020-07-09T15:38:27+02:00 garrison ssomgr: SM: #14388# getGroupDN: ldap_result(): rc=0

However, the result of this search is not used in the next LDAP filter, which checks whether the user is a member of the found group Test1:

(&(samAccountType=805306368)(memberOf=)(userprincipalname=fclever-test@contoso.de)

In this filter the Distinguished Name of the group is missing behind memberOf=. The filter should be correct as follows:

(&(samAccountType=805306368)(memberOf=CN=Test1,OU=Rights,OU=Groups,DC=contoso,DC=de)(userprincipalname=fclever-test@contoso.de))

I also tried using the SID instead of the group name, that didn't work either

Hence my question: Why is the found group not used in the LDAP filter for checking the membership?

0 comments