#StackBounty: #sql-server #migration #active-directory SQL Server 20002005 compatibility with Active Directory 2016

Bounty: 50

We are currently using Active Directory 2008R2 and will be upgrading to AD 2016. I’m trying to determine if there is any known compatibility issues when running older versions of SQL Server (2000 and 2005) when upgrading to AD 2016. Has anyone been through this process? Most of our db servers are using SQL 2008 > 2016, but a few still runs with 2000/2005. Thanks


Get this bounty!!!

#StackBounty: #spring #spring-security #active-directory #spring-ldap #spring-security-ldap Spring Ldap Impact of Microsoft Security Ad…

Bounty: 200

We are using Spring Security Ldap Library (v4.0.4) to fetch a list of users from our client’s Active Directory (ldap://domain:389) and to authenticate them to sign in to our web application.

Microsoft recently published an advisory to enable LDAP channel binding and LDAP signing:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

“LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities.”

We were asked if enabling LDAP channel binding and LDAP signing on their servers would affect our processes. I couldn’t find information regarding these in the documentation:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ldap

Are these supported by Spring Security Ldap Library (v4.0.4)?
If so, is there any configuration we should change to make sure things are not affacted?


Get this bounty!!!

#StackBounty: #active-directory #windows-server-2012-r2 #amazon-vpc #vpc-peering #aws-directory-service Connect to active directory ove…

Bounty: 50

I have a VPC(VPC1) where my main instances are running, and I have another one (VPC2)specifically for directory service (AD Connector) and a MS AD server running. I have created a VPC peering (which is Active) and all the route tables of these VPC’s are updated to talk to the other VPC instances. But here are the issues now:

  1. An instance created in VPC 1, configured with domain join option gets launched successfully, but not joined to the domain. I am not sure any logs I can find, IAM role for this instance is also integrated while launching.
  2. From the AD server (located in VPC2), I tried pinging this VPC1 server by its private IP address, which fails.

Is there anything else I need to configure.? As per my understanding, VPC peering in active state with route tables should properly route the requests. Any help would be appreciated


Get this bounty!!!

#StackBounty: #c# #wpf #mvvm #active-directory Async Check for Domain Fullname With WPF and Caliburn.Micro

Bounty: 50

I have a small WPF program built using Caliburn.Micro which checks Active Directory for a user with the current username of the logged-on user. I have a Bootstrapper method:

protected async override void OnStartup(object sender, StartupEventArgs e)
{
    await ShellViewModel.CollectFullnameAsync();
    DisplayRootViewFor<ShellViewModel>();
}

This starts the ShellViewModel and kicks off an async method to start looking for the currently logged on user on the domain

My ShellViewModel looks like this:

public ShellViewModel()
{
    Computername = EnvironmentHelpers.ComputerName;
    Fullname = _fullnameplaceholder;
}

public static async Task CollectFullnameAsync()
{
    _fullnameplaceholder = ADHelpers.GetFullADName();

    while(_fullnameplaceholder == "Failed" && _attemptsToCollectFullName < 5)
    {
        _attemptsToCollectFullName++;
        await Task.Delay(2000);
        _fullnameplaceholder = ADHelpers.GetFullADName();
    }
}

So my code is meant to:

  1. Look for the user on the domain
  2. Check 5 times for the user, waiting 2 seconds between each attempt.
  3. Display the ShellView with either “Failed” or the Fullname returned from the domain

Can I please get some insight into how I am performing this task? Is this the correct way to do this or am I barking up the wrong tree?


Get this bounty!!!

#StackBounty: #active-directory #ldap Secure LDAP Auth with SSL Cert

Bounty: 50

I’m wanting to setup secure LDAP authentication with an external service provider. The end user currently uses unsecured LDAP to the service provider. The service provider admits they way it had been originally implemented exposes credentials via packet capture.

I’ve reviewed:
https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority

Their local domain is a *.local. The product manufacturer requires an SSL certificate that is signed by a valid certificate authority. This is good. I can create an SSL cert for the domain, but it won’t match that the Directory Service has.

I’m not sure exactly how the external auth is presented to the LDAP server, if it’s just passing the user name with domain name appended or if it verifies the LDAP server first.

Questions – Do I need to rename the domain to match? Would adding a UPN suffix allow for a work-around?

Edit:
External access through the Internet is required, thus the desire to secure LDAP.

Update text for clarity


Get this bounty!!!

#StackBounty: #authentication #active-directory #ldap #apache-zeppelin #shiro Zeppelin – LDAP Authentication failed

Bounty: 50

I am trying to configure ldap authentication in Zeppelin notebook. I have specified ldap server and other configurations by following this link. However, when I try to login I got following error:

ERROR [2019-12-23 17:52:12,196] ({qtp1580893732-66} LoginRestApi.java[proceedToLogin]:172) - Exception in login:
org.apache.shiro.authc.AuthenticationException: Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - user1, rememberMe=false].  Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at org.apache.zeppelin.rest.LoginRestApi.proceedToLogin(LoginRestApi.java:140)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
       org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
      org.apache.shiro.realm.ldap.DefaultLdapRealm.queryForAuthenticationInfo(DefaultLdapRealm.java:371)
        at org.apache.zeppelin.realm.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:268)
        at org.apache.shiro.realm.ldap.DefaultLdapRealm.doGetAuthenticationInfo(DefaultLdapRealm.java:295)
        at org.apache.zeppelin.realm.LdapRealm.doGetAuthenticationInfo(LdapRealm.java:217)
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
        ... 78 more
 WARN [2019-12-23 17:52:12,197] ({qtp1580893732-66} LoginRestApi.java[postLogin]:206) - {"status":"FORBIDDEN","message":"","body":""}

Here is the shiro.ini file

ldapRealm=org.apache.zeppelin.realm.LdapRealm

ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://10.16.0.113:389
ldapRealm.userDnTemplate=uid={0},ou=Users,dc=domain,dc=org,dc=com
# Ability to set ldap paging Size if needed default is 100
#ldapRealm.pagingSize = 200
#ldapRealm.authorizationEnabled=true
#ldapRealm.contextFactory.systemAuthenticationMechanism=simple
ldapRealm.searchBase=dc=domain,dc=org,dc=com
ldapRealm.userSearchBase=dc=domain,dc=org,dc=com
ldapRealm.groupSearchBase=ou=Users,dc=domain,dc=org,dc=com
ldapRealm.groupObjectClass=groupofnames
# Allow userSearchAttribute to be customized
ldapRealm.userSearchAttributeName = sAMAccountName
ldapRealm.memberAttribute=member
# force usernames returned from ldap to lowercase useful for AD
ldapRealm.userLowerCase = true
# ability set searchScopes subtree (default), one, base
ldapRealm.userSearchScope = subtree;
ldapRealm.groupSearchScope = subtree;
ldapRealm.memberAttributeValueTemplate=cn={0},ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemUsername=uid=domaindigital.banking,ou=Users,dc=domain,dc=org,dc=com
ldapRealm.contextFactory.systemPassword=Password1
securityManager.realms = $ldapRealm

Where am I going wrong. I need some assistance


Get this bounty!!!

#StackBounty: #active-directory #sssd SSSD storing wrong shell in cache

Bounty: 100

I am using SSSD to authenticate users on Linux against a local Active Directory server (Windows). It works fine, this is my config:

[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam

[domain/my.domain]
ad_domain = my.domain
ad_server = my-dc.my.domain
krb5_realm = MY.DOMAIN
realmd_tags = joined-with-samba
cache_credentials = true
auth_provider = ad
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = IT

The problem is: we have one user who wants zsh. So I changed the users loginShell attribute to /usr/bin/zsh. This works fine the first time the user logs in. But as soon as the user has logged in and I do getent passwd username, it says the user’s shell is /bin/bash. So when the user logs out and in again, indeed bash is used as shell.

When I do sss_cache -u username, the shell is set correctly again and the user gets the correct shell on login. I do not want to disable caching because any domain controller downtime should not have an impact on the Linux user logins.

I tried to remove default_shell, but it only changes that the default shell is empty instead of /bin/bash, so same behaviour.


Get this bounty!!!

#StackBounty: #12.04 #server #dhcp #active-directory Using Ubuntu 12.04 DHCP server to securely update DNS records in Active Directory

Bounty: 50

What seems, to me, to be a simple question, apparently isn’t.

I have a Linux (Ubuntu 12.04) DHCP server: isc-dhcp-server, that works GREAT. No issues and all clients can get an address with no issues.

I also have a Windows 2003 Server Active Directory domain: corp.local, e.g. that works great as well.

What I’m trying to do, is to get the Linux DHCP server to SECURELY update the DNS records in Active directory. I can get full functionality if I select “Secure and Non Secure” updates in Windows DNS, but nothing works when I select Secure Only.

I’ve tried and tried and tried, all to no avail.

  • I recognize that I need to somehow share a key or encrypt the data between the Linux DHCP clients and Windows AD/DNS, but I just cant find a how-to.

Any suggestions?

I am NOT interested in having BOTH DHCP and DNS in Linux or BOTH DHCP and DNS in Windows. I want to keep the Linux DHCP server and Windows AD/DNS. I just want to find a way to let the Linux DHCP clients securely update their own records in Windows AD.

  • When I have “Secure and Non Secure” enabled in Windows DNS, it works – I get the Linux DHCP records in AD. I also get a “TXT” record that looks like a hash for some kind of secure update. It’s a strong preference (just short of a requirement) to have the updates be secure.

Lastly, I do NOT want to install Samba. It seems to me to be unnecessary for my environment.

Seems simple to me – a Linux DHCP server that will securely update Windows AD/DNS records.

James


Get this bounty!!!

#StackBounty: #active-directory #windows-server-2008-r2 #kerberos #spn setspn does not affect Active Directory Users

Bounty: 50

I run the setspn command for specific user on Domain Controller.

C:>setspn -s example/username.companyname.com username
Checking domain DC=companyname,DC=com

Registering ServiceprincipalNames for CN=username,CN=Users,DC=companyname,DC=com
        example/username.companyname.com
Updated object

And immediately can see result in console.

C:>setspn -L username
Registering ServiceprincipalNames for CN=username,CN=Users,DC=companyname,DC=com
        example/username.companyname.com

But it never affects this user in “Active Directory Users and Computers”.

His attribute “servicePrincipalName” is not set.

Maybe there is some kind of cache?


Get this bounty!!!