09-18-2013 11:57 AM - edited 03-10-2019 08:55 PM
I had a working VPN with users authenticating via LDAP. One day it decided it did not want to work anymore. We are not aware of any changes to the ASA and the only thing that may have changed on the LDAP server is windows updates. One day this was working fine, and then it stopped and I have not been able to fix it.
The base DN, username, password, etc. nothting has changed. I verified all info is correct:
INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)
[433] Session Start
[433] New request Session, context 0xca21bb58, reqType = Authentication
[433] Fiber started
[433] Creating LDAP context with uri=ldap://10.0.1.136:389
[433] Connect to LDAP server: ldap://10.0.1.136:389, status = Successful
[433] supportedLDAPVersion: value = 3
[433] supportedLDAPVersion: value = 2
[433] Binding as ASALDAP
[433] Performing Simple authentication for ASALDAP to 10.0.1.136
[433] LDAP Search:
Base DN = [DC=pip,DC=local]
Filter = [sAMAccountName=jbutterfield]
Scope = [SUBTREE]
[433] Request for jbutterfield returned code (1) Operations error
[433] Fiber exit Tx=275 bytes Rx=733 bytes, status=-1
[433] Session End
ERROR: Authentication Rejected: Memory error
Wireshark on the server indicates that bind is successful, but then:
LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
But previous to that line it indicated:
LDAPMessage bindResponse(2) success
Any ideas?
aaa-server LDAPServerGroup protocol ldap
aaa-server LDAPServerGroup (inside) host 10.0.1.136
ldap-base-dn DC=pip,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local
server-type microsoft
ldap-attribute-map LDAPMap
The following output is from AD Explorer. I logged into ADExplorer using ASALDAP user/pass. I browsed the directory and gathered this distinguished name.
CN=ASALDAP,CN=Users,DC=pip,DC=local
09-18-2013 03:08 PM
CSCtc69310 LDAP authentication with Kerberos SASL fails with memory error
Symptom:
ASA configured to authenticate against LDAP server with Kerberos SASL fails.
"test aaa authentication" command shows "ERROR: Authentication Rejected: Memory error".
Conditions:
ASA with LDAP and Kerberos SASL.
Workaround:
If possible, use "digest-md5" as the SASL mechanism rather than Kerberos.
~BR
Jatin Katyal
**Do rate helpful posts**
09-18-2013 03:18 PM
I don't know, would I need to specify that on the ASA or on the Windows Domain Controller, or both? How does one chooose one vs. the other?
09-18-2013 03:25 PM
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml#asdm
~BR
Jatin Katyal
**Do rate helpful posts**
09-18-2013 03:41 PM
no luck there:
test aaa-server authentication LDAPServerGroup host 10.0.1.136 username jbutterfield password xxxxx
INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed
aaa-server LDAPServerGroup protocol ldap
aaa-server LDAPServerGroup (inside) host 10.0.1.136
ldap-base-dn DC=pip,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local
sasl-mechanism digest-md5
server-type microsoft
09-18-2013 03:54 PM
I did switch it to an NTDomain protocol authentication using another server group & that does work, but the downside there is that you can't use the LDAP mapping against NTDomain protocol.
aaa-server NTDomain protocol nt
aaa-server NTDomain (inside) host 10.0.1.136
nt-auth-domain-controller 10.0.1.136
I would still like to figure out why LDAP is not working.
09-18-2013 04:00 PM
Could you please remove the whole config and readd the below listed one.
aaa-server LDAPServerGroup protocol ldap
aaa-server LDAPServerGroup (inside) host 10.0.1.136
ldap-base-dn DC=pip,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local
server-port 389
server-type microsoft
run debug ldap 255 and try again.
~BR
Jatin Katyal
**Do rate helpful posts**
09-18-2013 04:09 PM
Still same response. I did replace the *** with correct password
aaa-server LDAPServerGroup protocol ldap
aaa-server LDAPServerGroup (inside) host 10.0.1.136
server-port 389
ldap-base-dn DC=pip,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local
server-type microsoft
INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)
[859] Session Start
[859] New request Session, context 0xc9630220, reqType = Authentication
[859] Fiber started
[859] Creating LDAP context with uri=ldap://10.0.1.136:389
[859] Connect to LDAP server: ldap://10.0.1.136:389, status = Successful
[859] supportedLDAPVersion: value = 3
[859] supportedLDAPVersion: value = 2
[859] Binding as ASALDAP
[859] Performing Simple authentication for ASALDAP to 10.0.1.136
[859] LDAP Search:
Base DN = [DC=pip,DC=local]
Filter = [sAMAccountName=jbutterfield]
Scope = [SUBTREE]
[859] Request for jbutterfield returned code (1) Operations error
[859] Fiber exit Tx=275 bytes Rx=733 bytes, status=-1
[859] Session End
ERROR: Authentication Rejected: Memory error
09-21-2013 03:55 PM
MS is aware of this problem and there is a hotfix available
Micorosft KB951191
You may discuss with your windows team regarding the same.
~BR
Jatin Katyal
**Do rate helpful posts**
09-24-2013 03:01 PM
I have been unable to install the Hotfix. It just won't install. MS says that it has to be installed on a server running AD DS, which it is, but it just wont' install. I report back more when I know more.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: