Logon with restricted account

Moderator: crythias

Post Reply
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Logon with restricted account

Post by Kris »

Hello again,

We have user accounts that have restrictions in AD on which machine they can logon to.
These accounts can't logon to the customer portal, not even if the specific machine that OTRS is installed on is added to the list.
When the restrictions are removed all works fine.

The following error is logged:

Code: Select all

[Thu Apr 11 15:56:20 2013][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: johndoe (OU=users,DC=mycompany,DC=local) authentication failed: '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1
Any ideas?
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Logon with restricted account

Post by ferrosti »

Add your OTRS webserver to the list of restricted clients and you should be good to go.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

That's what I already tried.
And it didn't work....
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Logon with restricted account

Post by crythias »

from the interwebs:

Code: Select all

AcceptSecurityContext error, data 531
Logon failure user not allowed to log on to this computer. Returns only when presented with valid username and password/credential
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

I know! :lol:
But I already added the OTRS machine to the allowed computers in the "Log on to" section of the user properties.
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Logon with restricted account

Post by ferrosti »

Are you really running OTRS on a Windows XP computer?
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

Ermmm yeah... but we're planning to upgrade to Vista.... :shock:











Noooo, just kidding! Yes, it is running on XP right now, but we will reinstall on W2012 when we start production....
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Logon with restricted account

Post by ferrosti »

Vista is no kidding, Windows ME were ;)

Just a shot into the wild, but I believe that IIS on W2012 or Apache on W2012 would do better regarding this issue.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

Maybe so, but it's still odd that I can't logon to the customer portal with the same account I CAN setup a RDP session or browse the same machine that OTRS is installed on.
As we've past the POC point anyway I will reinstall on W2012 soon.

I didn't realize OTRS could be installed on IIS as well. I'll do that next time then :D
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Logon with restricted account

Post by crythias »

you should check the ldap server's logs to make sure what user/computer pair is failing.

It could be that the ldap search user doesn't have permissions, for instance.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

Thanks Crythias,

You pointed me in the right direction:

The ldap log showed that when the user tries to log on to the customer portal, it also connects to the DC with the same credentials.
And since the DC wasn't on the allow list, it failed.
Adding the DC to the allow list solved it, but I still think it's weird because there's a specific user to do the ldap lookup specified in the config file.

I'm not sure why the DC is contacted with the user's credentials....
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

OK, so I remarked the following lines in the config,

Code: Select all

#    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'}    = 'CN=ldaplookup,CN=Users,DC=mycompany,DC=local';
#    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'}    = 'ldaplookup';
restarted Apache, and tried to log on to the customer portal: It still works.

It would appear to me that this shouldn't work, or would it?
I reckon the ldap lookups are performed with the user's credentials instead of those in the config?
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Logon with restricted account

Post by crythias »

Kris wrote:Adding the DC to the allow list solved it
I don't like this answer ...
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
KlausNehrer
Znuny ninja
Posts: 1312
Joined: 25 May 2012, 08:51
Znuny Version: OTRS 4
Real Name: Klaus Nehrer

Re: Logon with restricted account

Post by KlausNehrer »

crythias wrote:
Kris wrote:Adding the DC to the allow list solved it
I don't like this answer ...
I like it. Windows sucks ;)
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Logon with restricted account

Post by crythias »

adding the dc to the allow list means exactly that. The user could log into the dc. That's not exactly Super Happy Fun Time.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
KlausNehrer
Znuny ninja
Posts: 1312
Joined: 25 May 2012, 08:51
Znuny Version: OTRS 4
Real Name: Klaus Nehrer

Re: Logon with restricted account

Post by KlausNehrer »

yes, you're right, but domain restriction requires all dc's as member of allowed hosts. amazing that is it not noticed earlier.
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

KlausNehrer wrote:yes, you're right, but domain restriction requires all dc's as member of allowed hosts.
i don't think that is entirely true. We do have some accounts that don't have any DC in their allow list, but they can still logon with a VPN connection that uses a Windows DC radius server, and start a remote desktop session to any computer on their allow list.
And, on the other hand: most companies don't even apply logon restrictions to their users, because it makes the workplace very rigid.
So all DC's are accessible anyways. So that's not THAT big a deal.

What IS a big deal is that OTRS obviously doesn't use the credentials set in config.pm to perform ldap queries during customer logon.

Anyone any thoughts on that?
Last edited by Kris on 12 Apr 2013, 08:20, edited 2 times in total.
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Logon with restricted account

Post by jojo »

OTRS uses the credentials provided to look up the users DN. But to perform a password check you need to logon with the users DN and the submitted passsword on the LDAP server as the bind user is not allowed to look up other users password field
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Kris
Znuny newbie
Posts: 49
Joined: 28 Mar 2013, 13:02
Znuny Version: 3.2.3
Real Name: Kris ten Hoedt
Company: Prominent

Re: Logon with restricted account

Post by Kris »

Then why is it that users can logon even when I remark (or remove) the following lines from config.pm: ?

Code: Select all

#    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'}    = 'CN=ldaplookup,CN=Users,DC=mycompany,DC=local';
#    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'}    = 'ldaplookup';
Version: OTRS 3.2.3 + ITSM
OS: Win XP Pro SP3
DB: MySQL
Webserver: Apache
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Logon with restricted account

Post by jojo »

your LDAP allows anonymous search
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Post Reply