How to bind to AD server in PHP with credentials from trusted domain?
We have several AD servers with established forest trust between them, so Windows users from different domains are able to get access to restricted resources. Suppose we have domainA.com and domainB.com, so any user from the domain domainB.com can login to resource on domainA.com. For security reasons anonymous access to LDAP servers is disabled by administrators.
Now we need to list all users from all LDAP servers in our PHP code with the help of OpenLDAP client. Below is PHP code to get info about all users from domainB.com
define('USER', '[email protected]'); // User from domainA.com here
$ldap = ldap_connect('domainB.com') or die('Bad connection');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_bind($ldap, USER, PASS) or die('Cannot bind');
My script dies with message "Cannot bind" with ldap error "49 Invalid credentials". Additional info from AD:
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I think that the problem is with simple authentication mechanism, because when I use GSS Negotiate authentication in the Ldap Administrator client with the same credentials for [email protected] everything is ok.
What can I do to make successful bind on domainB.com with credentials from [email protected]?
UPD1 Authentication with SASL DIGEST-MD5
ldap_sasl_bind ( $ldap, '', $pass, 'DIGEST-MD5', null, '[email protected]');
Logs from AD:
The computer attempted to validate the credentials for an account.
Authentication Package: WDigest
Logon Account: user
Source Workstation: DOMAINA
Error Code: 0xc000006a
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: domainA.com
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0xc000006d
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: WDIGEST
Authentication Package: WDigest
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
Answer
I've experienced this issue when configuring Moodle, which uses PHP LDAP libs and OpenLDAP to connect to AD servers. The solution was pretty simple, and one of two things, (which really just boiled down to one thing):
- Use the unscoped username (i.e. no '@example.com' after the username)
- Use the DOMAIN\username
Basically, the one thing it boiled down to was getting the correct, expected username syntax. I think this is dependent on the particular AD configuration, because I have seen four types of usernames that work, on various AD servers: Full DN, scoped username (i.e. looks like an email address), DOMAIN\username, and plain username.