How to work around a "logon workstations" restriction to the Domain Controller stopping authentication via LDAP

active-directory ldap authentication ibm-domino
5,378

I would suggest to deny interactive/RDP logon to the DCs with GPO:

"Computer Settings/Security Settings/Local Policies/User Rights Assignments/Deny Logon Locally"

I've seen such problems with custom/corporate software and some Linux boxes. In these cases "Logon Workstations" should include the DC(s) in the list of allowed workstations. I suppose it's connected to the way in which these systems try to authenticate users. See an example: https://confluence.atlassian.com/display/CONFKB/Unable+to+Log+in+Because+of+userWorkstations+Attribute+in+Active+Directory

Eventually analyze Linux's logs and search for data code 531 as per https://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/

Keep in mind that the "User-Workstations" attribute has limitations: https://support.microsoft.com/en-us/kb/938458

Share:
5,378

Related videos on Youtube

Sean Cull
Author by

Sean Cull

An IBM XPage and Domino Consultant See my blog for more http://www.seancull.co.uk

Updated on September 18, 2022

Comments

  • Sean Cull
    Sean Cull over 1 year

    I am trying to allow users of an external linux based application server to authenticate with the service using their Active Directory credentials via LDAPS. It works well for admin accounts but fails for normal user accounts.

    The issue is that there is a "logon workstations" setting for users that restricts them from logging onto the Domain Controller (DC) (or rather creates a restriction that they can only log onto their assigned workstation)

    The initial LDAP query is in the name of a service account works but at the point when the HTTP Authentication is carried out the LDAP service unbinds from the service account and tries to bind as the user. At this point it fails.

    Is there a way around this? Is it common practice to restrict access to the DC in this way?

    • jojojoj
      jojojoj almost 9 years
      For those users, try adding the name of the Linux server to "logon workstations" or removing all values from "logon workstations"
    • Sean Cull
      Sean Cull almost 9 years
      The problem is not with their ability to see the linux server but their ability to see their Domain controller. The linux server cannot authenticate them, hence the need for the LDAP to AD.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue
ldapsearch - Strong(er) authentication required - Transport encryption required
Can a single user have multiple credential sets using MS Active Directory
Central Authentication For Windows, Linux, Network Devices
Disable LDAP authentication on Ubuntu
Authenticating Apache HTTPd against multiple LDAP servers with expired accounts
Active Directory authentication load balancing and failover
How can I set up Redmine => Active Directory authentication?
Which field to use when authenticating against Active Directory?