search

DNNCommunity / DNN.ActiveDirectory

Active Directory authentication for DNN
MIT License
26 stars 22 forks source link

Checking Root Domain step fails #73

Open brentil opened 3 years ago

brentil commented 3 years ago

Describe the bug

Module fails to fully validate against Windows Server 2019 AD. When trying to configure the module settings it always fails on the Checking Root Domain step but the Accessing Global Catalog and Accessing LDAP pass. We can see in the logs that the module successfully connects and pulls the user's information from AD but then fails on password validation. If we load the URL directly it kicks up the user/password prompt which does work for authentication.

/DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx

The error we find in the logs for trying to save the settings or logging in is "A more secure authentication method is required for this server" which a variety of web searches suggest this might have to do with LDAP channel binding and LDAP signing.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

We've tried a variety of root domains settings using DC=LAB,DC=GROUP,DC=UNIVERSITY,DC=EDU and LDAP:// and LDAPS://LAB.GROUP.UNIVERSITY.EDU and they all fail on the Checking Root Domain step. We've also tried every Authentication Type too and none of them fix it.

Software Versions

Screenshots

image

Error log

The below error is kicked out when trying to save the settings for the module to connect to our AD and also when trying to login.

AbsoluteURL:/Default.aspx
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:a79338bc-e733-467c-ad09-dc287a6ce131
AssemblyVersion:
PortalId:-1
UserId:-1
TabId:-1
RawUrl:
Referrer:
UserAgent:
ExceptionHash:jWdkvuz8cHe6slf4z5+CKSx2sDE=
Message:A more secure authentication method is required for this server.
StackTrace:
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_Name()
   at DotNetNuke.Authentication.ActiveDirectory.ADSI.Utilities.GetRootEntry(Path ADSIPath)
InnerMessage:
InnerStackTrace:
Source:System.DirectoryServices
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:
mrdibb40 commented 3 years ago

Did you ever find a resolution to this? We are having the same problem with DNN 9.08 and version 7 of the module.

brentil commented 3 years ago

We never did. We spent a bunch of time trying to figure it out but never could even get an idea of what was going wrong. We ended up going with AD-Pro Authentication. HOWEVER, the version of that on the DNN Store is very OLD and also doesn't work. We had to contact their support to get the newest version which does work.

sawest commented 3 years ago

There is not support currently in this module to bind to LDAPS. If your domain controller requires that then you will get an error message. After reviewing the code, this behavior is confirmed. If you add LDAPS to the front of your string, it will be stripped off and replaced with GC. For this module to connect to a domain controller, LDAPS will need to be optional, not required. I will make this a feature request. Hopefully I, or someone, can add this ability soon. I am currently working through the module on other issues and adding dependency injection.

sawest commented 3 years ago

duplicate #74

RonStack commented 2 years ago

I was receiving this as well. After looking through the logs through DNN I discovered mine was due to an authentication error. I changed the username to include the domain, e.g. domain\username instead of what I was using, username by itself.