Forum Discussion

The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Jul 20, 2022

LDAP Auth, LDAP Query with UPN fails

I have a basic policy using LDAP auth and UPN, this works fine, auth is successful.  The LDAP query appears to be successful but moves to fallback.  

LDAP Query and Auth Searchfilter set to  (userPrincipalName=%{session.logon.last.username}) 
LDAP Query and Auth SearchDN set to OU=sites,DC=domain,DC=local  

Branch rule set to expr {[mcget {session.ldap.last.attr.memberOf}] contains "Intune-Test"}

EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.totalEntries' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.logon.page.errorcode' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.policy.result' set to 'deny'

application delivery
security
  • The-messenger's avatar
    The-messenger
    Jul 21, 2022

    The problem I had here was the memberOf group I was using for testing.   Tested with another group and it's good.

  • The-messenger's avatar
    The-messenger
    Icon for Cirrostratus rankCirrostratus
    Jul 21, 2022

    The problem I had here was the memberOf group I was using for testing.   Tested with another group and it's good.