Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3214
Views
0
Helpful
4
Replies

"Broken" AAA between ASA 5505 and MS-AD

Go to solution
clark-computers
Level 1
Level 1

‎01-27-2009 08:50 AM - edited ‎03-10-2019 04:18 PM

I have setup an AAA connection from my ASA5505 to my MS-AD domain controller for VPNs (SSL and client). It was working, however, last week the connection between the two failed and I cannot get it back up again.

I've checked password, usernames, object locations etc. but to no avail. When I do an auth test, this is the debug ldap 225 output:

[722] Session Start

[722] New request Session, context 0xd4e225c8, reqType = 1

[722] Fiber started

[722] Creating LDAP context with uri=ldap://w.x.y.z:389

[722] Connect to LDAP server: ldap://w.x.y.z:389, status = Successful

[722] supportedLDAPVersion: value = 3

[722] supportedLDAPVersion: value = 2

[722] Binding as administrator

[722] Performing Simple authentication for FirewallTest to w.x.y.z

[722] Simple authentication for FirewallTest returned code (49) Invalid credentials

[722] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[722] Fiber exit Tx=253 bytes Rx=583 bytes, status=-2

[722] Session End

I have tried the age-old "remove and re-add" fix, but this has not worked.

Any thoughts?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7

‎01-28-2009 06:23 AM

Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.

Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name " and compare it to your ASA.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ivan Martinon
Level 7
Level 7

‎01-28-2009 06:23 AM

Have you checked the the user account used for binding to the LDAP server (AD) has not change it's privileges, I remember that after applying a patch to an AD server most of the Admin accounts were changed to local admin rather than domain admin accounts.

Also, try reseting the password for this account and see if you have the login-dn correct, get the "dsquery user -name " and compare it to your ASA.

0 Helpful

Go to solution
clark-computers
Level 1
Level 1
In response to Ivan Martinon

‎01-28-2009 08:50 AM

I will check. However, the account was never a domain admin in the first place...

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to clark-computers

‎01-28-2009 09:52 AM

regardless of make sure that the privilege to read the domain is enabled, if not then enable it.

0 Helpful

Go to solution
clark-computers
Level 1
Level 1
In response to Ivan Martinon

‎02-03-2009 08:14 AM

It's working after the password reset: I suspect it had expired...

Thanks for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents