locked
MFA with LDAP on TMG RRS feed

  • Question

  • Hi all,
    we are using Forefront Threat Management Gateway (TMG 2010 v7.0.9193.644 on Windows Server 2008 R2 SP1) with a Form Based Authentication Listener configured. That listener uses LDAPS to communicate with our domain controllers to authenticate the users and to allow users to change their passwords. Without MFA all works well and the user can logon, but when we point our TMG to the MFA (v6.2.1.16387 on Windows Server 2012 R2) the same user is not allowed to login.

    Note: For testing purposes we are using LDAP to allow us to monitor inside the traffic, so that is why you see port 389 instead of 636.

    NTLM
    The MultiFactorAuthLdapSvc.log on the MFA-server shows the following relevant lines:
    2014-07-28T14:02:49.095337Z|i|2324|2436|LdapProxyContext|Proxying data between TMG-IP:10310 -> DC-IP:389
    2014-07-28T14:02:49.095337Z|i|2324|2440|LdapProxyContext|Received LDAP bind request from TMG-IP:10310.
    2014-07-28T14:02:49.110936Z|w|2324|2440|BindRequestMessage|Invalid authentication type: "10"
    2014-07-28T14:02:49.110936Z|e|2324|2432|LdapServerConnection|Failed to read from server DC-IP:389: The network connection was aborted by the local system (0x04D4 = 1236)
    2014-07-28T14:02:49.110936Z|i|2324|2440|LdapClientConnection|Object for client connection TMG-IP:10310 destroyed.
    2014-07-28T14:02:49.110936Z|i|2324|2440|LdapServerConnection|Object for server connection DC-IP:389 destroyed.
    2014-07-28T14:02:49.110936Z|i|2324|2432|LdapProxyContext|LdapProxyContext was destroyed.

    A Wireshark trace between TMG and MFA indicates that TMG is initatiating a bindRequest "NTLM" , NTLMSSP_NEGOTIATE and the MFA/DC cannot process that request and sends FIN,ACK.

    When using ldp.exe on the TMG server with bind method NTLM the same error is written to the MultiFactorAuthLdapSvc.log about the invalid authentication type, so this method can be used to reproduce the error.
    The bind result is:
    0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
    res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NTLM (4230)); // v.3
     {NtAuthIdentity: User='USERUPN'; Pwd=<unavailable>; domain = ''}
    Error <52>: ldap_bind_s() failed: Unavailable.
    Server error: <empty>

    Without MFA in line the bindRequest is sent from TMG to the DC directy and gets a bindResponse success NTLMSPP_CHALLENGE response from the DC. Then the TMG sends authentication with NTLMSPP_AUTH.

    NEGOTIATE
    When using bind method NEGOTIATE in ldp.exe everything works fine and MFA kicks in:
    2014-07-28T14:38:41.840787Z|i|2324|2436|LdapProxyContext|Proxying data between TMG-IP:10607 -> DC-IP:389
    2014-07-28T14:38:42.128432Z|i|2324|2432|LdapProxyContext|Received LDAP bind request from TMG-IP:10607.
    2014-07-28T14:38:42.130427Z|i|2324|2432|LdapProxyContext|Received LDAP bind response. ResultCode = SaslBindInProgress.
    2014-07-28T14:38:42.131090Z|i|2324|2440|LdapProxyContext|Received LDAP bind request from TMG-IP:10607.
    2014-07-28T14:38:42.131090Z|e|2324|2440|trace|i|NtlmSspSaslCredentials|User name for NTLMSSP authentication is: "USER-UPN"
    2014-07-28T14:38:42.131090Z|i|2324|2432|LdapProxyContext|Received LDAP bind response. ResultCode = Success.
    2014-07-28T14:38:42.131090Z|i|2324|2432|LdapProxyContext|Removed bind context between TMG-IP:10607 -> DC-IP:389
    2014-07-28T14:38:42.131090Z|i|2324|2432|LdapProxyContext|Doing PhoneFactor authentication for user: "USER-UPN". RequireUserMatch=true
    2014-07-28T14:38:42.131090Z|i|2324|2432|LdapProxyContext|PhoneFactor authentication succeeded for: "USER-UPN".

    The Wireshark trace between TMG and MFA using ldp.exe indicates that TMG is initatiating a bindRequest "<ROOT>" , NTLMSSP_NEGOTIATEsasl and the MFA/DC responds with saslBindInProgress , NTLMSPP_CHALLENGE. Then the TMG sends authentication with NTLMSPP_AUTH.
    The bind result is:
    0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
    res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
     {NtAuthIdentity: User='USER-UPN'; Pwd=<unavailable>; domain = ''}
    Authenticated as: 'domain\user'.

    QUESTION
    It seems TMG uses NTLM only but the MFA server does not understand the used authentication type. How can we make the MFA server accepts those types? Or is there something else wrong? Thanks for reading this (long) post, i'll appreciate your help.

    Monday, July 28, 2014 3:49 PM

Answers

  • You are correct that the MFA Server doesn't recognize LDAP Authentication Type 10 (NTLM over LDAP). It expects the response to be type 0 or 3. The only way to use the MFA Server with TMG today is via RADIUS. Unfortunately, if you switch to RADIUS, you will lose the ability to support password changes.
    Tuesday, September 9, 2014 7:57 PM