Solved: LDAP authentication for Exchange OWA users

aerojith · ‎05-22-2014

Hello,

Thanks for your time.

Trying to implement the feature of LDAP authentication (Windows 2008 R2 AD) for Exchange OWA users from the Internet.

In my test environment, I am trying to accomplish with the help of light weight web server (HFS) as I don't have a Exchange Infra. (Please point if it make a difference).

Have a specific user group who are only allowed to access the OWA from the Internet and not all the corporate users. Below are my configuration details

1. Configured Authenticator in the STM and pointed to the Windows DC

2. Configured the LDAP TScript rules (reference from Riverbed SE and Riverbed Splash) in the STM ( files attached)

3. TScript rules are called in the Virtual server

When I test from the internet, getting the basic authentication from the STM. Login credentials are provided but the login is not successful.

Getting the error as mentioned in the TScript (Authentication error).

I ran the Wireshark from the client PC and in the server. Wireshark output from the server reveals, the LDAP request is hitting the server but the response is not sent by the server. Log from the STM is "Authenticators ldap: Unexpected StartTLS message received"

Are there anything specific with the communication between the Windows AD and STM?

Gone through the user guide documents, riverbed splash help resources and knowledge base but not successful. May be I missed out in the mentioned resources.

Seeking the community expert help for few pointers to get moving, as I am stuck with this testing for many weeks.

Thanks

aclarke · ‎05-31-2014

It looks like your LDAP server is expecting to use TLS. This can be configured in the Authenticator:

Also, from the look of the text files you attached, your setup is using the AD group mappings from my lab!! The group mapping "CN=staff,CN=Users,DC=laptop,DC=snrkl,DC=org" is from my lab environment AD that was used for the AAA sample code. You will need to modify the scripts to use the AD variables and group mappings relevant to your Active Directory / LDAP environment.

Hope this helps...

--
Aidan Clarke
Pulse Secure vADC Product Manager

View solution in original post

aerojith · ‎05-26-2014

Hello,

Request community friends and expert to share their knowledge which they come across.

Thanks

aclarke · ‎05-31-2014

It looks like your LDAP server is expecting to use TLS. This can be configured in the Authenticator:

Also, from the look of the text files you attached, your setup is using the AD group mappings from my lab!! The group mapping "CN=staff,CN=Users,DC=laptop,DC=snrkl,DC=org" is from my lab environment AD that was used for the AAA sample code. You will need to modify the scripts to use the AD variables and group mappings relevant to your Active Directory / LDAP environment.

Hope this helps...

--
Aidan Clarke
Pulse Secure vADC Product Manager

aerojith · ‎06-02-2014

Hello Aidan,

Thanks for your response. Enabled SSL encryption and provided certificate in the STM but with no luck. Still facing problem.

On the TScript, I tested the configuration and changed the group mapping based on my setup. Would like to get if any more inputs will push myself to get it resolved.

Thanks again for your inputs.

aclarke · ‎06-02-2014

I'll give you a good tip: In the System Authenticators page (ie: setting up an authenticator to control administrative access to your STM found in the GUI under System > Users > Authenticators ) if you create an LDAP authenticator, there is a handy little test utility that allows you to test your LDAP setup almost interactively. When troubleshooting LDAP authenticators, I have found it most useful to quickly test the LDAP setup to weed out any configuration errors etc:

--
Aidan Clarke
Pulse Secure vADC Product Manager

aerojith · ‎06-03-2014

Hello Aidan,

Thanks for the update. Is that utility an additional plugin that we need to load on to the STM or is it available as a desktop tool?

aclarke · ‎06-03-2014

So the feature I am talking about is its built into the STM - its in the system authenticators section when you create an LDAP authenticator for securing administration of your STM via LDAP. While the System Authenticators are for controlling access to the GUI (ie: the management plane) and are different to the authenticators used for doing authentication overlay while load balancing (ie: on the dataplane), the test function is really handy for figuring out the settings you want. Once you get your authenticator setup details figured out in the System Authenticators page, you can just copy the settings you found work to your data plane authenticator settings.

To do this, in the GUI, click System > Users > Authenticators: