Authentication Servers Microsoft 2022 AD + PfSense 2.7.0 - SSL
-
Hello,
After a long search on the Internet, I came across many sources that finally did not solve my problem.
I hope that asking my question on this forum will help find a solution.
It is certainly a mistake on my part but I do not see it.I am looking to link my Pfsense 2.7.0 firewall with my Windows 2022 AD with a secure SSL/TLS connection.
PFSENSE version: 2.7.0-RELEASE (amd64)
Microsoft AD version: Windows 2022 Standard 21H2I followed several times procedures found on the Internet that I adapted to my installation without result.
On the AD:
- I created an OU Pfsense
- I created 2 accounts: 1 for the connection to the base and the other for the account that will have the right of administration of Pfsense.
- I put them in a user group created in the OU.
- I tested user authentication on AD -> It works properly.
- I validated the secure connection (port 636) to the LDAP directory with the ldp.exe utility
On PFsense:
- I validated the secure connection:
openssl s_client -showcerts -connect "@ip server AD":636
The configurable fields for setting:
- Peer certificate Authority: Global Root CA List. I also tried the Certificate imported from my AD.
- Search scope: Entire subtree
- On the line "base DN": DC=YYY;DC=ZZ
- One the line "bind credentials" I tried the Unique name format (CN=xxx;OU=xxx;DC=yyy;DC=ZZ), then the UPN format (user@domaine.com) and finally the format domain\user.
The problem is always the same:
There is an error connecting to the LDAP server: "Could not connect to the LDAP server. Please check the LDAP configuration" in red above the "save" button- "Select container" impossible.
- connection test Diagnostics/Authentication -> erreur 504 Gateway Time-out
- I tried to unsecured Standard TCP without success.
Below is an extract of the system logs:
Oct 27 17:13:08 php-fpm 65323 /diag_authentication.php: ERROR! Could not bind to LDAP server ACTIVE DIRECTORY. Please check the bind credentials.
Oct 27 17:14:06 php-fpm 64541 /system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server .I am thinking of a syntax error perhaps, but I am no longer very clear about this problem.
Sorry if my English is not perfect.
Thank you in advance for the time you would spend on my problem.
-
Does it work without SSL?
Steve
-
Hello,
Thanks for your interest.
Even in "Standard TCP" on port 389 it does not work.
I didn’t have time today, tomorrow I’m doing a wireshark capture test. -
@loic83 said in Authentication Servers Microsoft 2022 AD + PfSense 2.7.0 - SSL:
Hello,
Thanks for your interest.
Even in "Standard TCP" on port 389 it does not work.
I didn’t have time today, tomorrow I’m doing a wireshark capture test.That doesn't surprise me. Microsoft stopped enabling LDAP (not LDAPS) by default many years ago, I believe there is a registry override for it but you shouldn't do that.
-
OK,
I’ve reconfigured to SSL on port 636.
The LDP.exe software confirms that the SSL connection is correct on the LDAP of my AD..
A Wireshark analysis on my AD shows that there is no LDAP dialog on the server with my firewall when I run an authentication test from PFSENSE.
LDAP works well because the AD dialogue with the NAS that hosts the data.The problem should occur in the SSL dialog and the Certificate configuration on PFSENSE or AD.
I will start from scratch this configuration. if you have leads, I am interested. -
Hello,
Sorry about the delay.In fact the problem did not come from the configuration but simply from a DNS problem. I hadn’t paid attention, but the ping test was coming back to me from the IPs which does not concern my Network. The domain I thought was not used on the web is used. To make a test I tried to clamp PFSENSE so that it only gets my DNS from the AD without success.
I changed the name of my domain and this time I made sure it was mine.
Now it works out.thank you for your help.
