LDAP logon support/enforcement
Test 2-factor support
In order to check whether your LDAP service can accept AuthLite 2-factor credentials, attempt the following tests. We are not enforcing anything yet, just seeing whether the LDAP service can tolerate a 2-factor credential without erroring.
First, attempt a logon by putting the OTP in the username field:
- With a YubiKey, tap the OTP into the username field.
- Or with an OATH token user, type in the username followed by a dash “-” followed by the OTP from your OATH token app.
- Enter the normal AD password in the password field.
Next, attempt a logon by putting the OTP in the password field:
- Enter the AD username as normal in the username field.
- Type the AD password into the password field.
- With a YubiKey, tap the OTP into the password field next, after the password characters.
- Or with an OATH token user, enter a dash “-” after the password, followed by the OTP from your OATH token app.
Identify logon method
Find the DC which is being used for your LDAP authentication, and open the “AuthLite Security” Event Log. You can search (using ctrl-F) for your LDAP user's username in the log right at the time you did the above logon tests. There should be an Event ID 20 or 21 (the LDAP service on the DC initiating the authentication). There should also be a nearby Event ID 1, 10 or 11 (the DC's authentication core processing the logon). And there should be a nearby Event ID 0 with the same username and the details “OTP looked up successfully”.
The exact combination of these events will tell important details about how the LDAP service is authenticating. Be sure to match the time of the events to the time of your testing. Otherwise you might be looking at log items that refer to some other login somewhere else.
Turn on 2-factor enforcement and compatibility
- If you see event 10 for your LDAP user, then the OTP is being passed to the logon. To enforce 2-factor for AuthLite users, just add the LDAP server to the “Forced 2-factor Computers” list.
- If you also see event 1 for your LDAP user, then the OTP is being passed multiple times (potentially, several logins in fast sequence). Begin with putting the LDAP server in the “Forced 2-factor Computers” list to enforce 2-factor for AuthLite users. Then, add a short Replay Window for the LDAP server so the same OTP can be used several times in a row to let the multiple logins work.
- If you see events 1 and 11 for your LDAP user, then the OTP might be getting looked up and then thrown away before the logon. Begin with putting the LDAP server in the “Forced 2-factor Computers” list to enforce 2-factor for AuthLite users. Then add it to the “LDAP Permissions” list as well so the OTP lookup is allowed to be used during the next authentication from that machine for your username. Then, if your authentications are failing, then add the LDAP server to “Sticky 2-Factor Computers” as well. This lets subsequent authentications use the same OTP presented by the earlier one, even though the subsequent logons aren't passing the OTP.
- If you see just an event ID 20 with “Status 0xc000006d 0xc0000064” or “Status 0xc000006d 0xc000006A”, then the LDAP server may be truncating the OTP or otherwise parsing the credentials strangely. Please contact customer support for assistance.
- Also if you see no events for your LDAP user matching the time you tried the 2-factor logons, then your service might be totally failing to pass the credentials containing the OTP. Please contact customer support for assistance.