cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP Auth, LDAP Query with UPN fails

The-messenger
Cirrostratus
Cirrostratus

I have a basic policy using LDAP auth and UPN, this works fine, auth is successful.  The LDAP query appears to be successful but moves to fallback.  

LDAP Query and Auth Searchfilter set to  (userPrincipalName=%{session.logon.last.username}) 
LDAP Query and Auth SearchDN set to OU=sites,DC=domain,DC=local  

Branch rule set to expr {[mcget {session.ldap.last.attr.memberOf}] contains "Intune-Test"}

EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.totalEntries' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.logon.page.errorcode' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.policy.result' set to 'deny'

1 ACCEPTED SOLUTION

The-messenger
Cirrostratus
Cirrostratus

The problem I had here was the memberOf group I was using for testing.   Tested with another group and it's good.

View solution in original post

1 REPLY 1

The-messenger
Cirrostratus
Cirrostratus

The problem I had here was the memberOf group I was using for testing.   Tested with another group and it's good.