Q. I am trying to setup the InterMapper Authentication Server to authenticate against our Active Directory servers. Every time I use a known good username and password (verified using ldapsearch), I am unable to authenticate and the imauth.log file contains the following errors:
LdapErr: DSID-XXXXXXXX, comment: AcceptSecurityContext error, data 0, vece
Could not connect to : Simple Authentication Failed (80090308: LdapERR: DSID-0C090334, comment: AcceptSecurityContext error
A. IMAuth is getting an error directly from the AD server, but AD doesn't include any information beyond the fact that the authentication attempt failed. This is usually caused by AD rejecting the types of authentication IMAuth is trying to use. Even when an AD server advertises that it supports, for example, the DIGEST-MD5 type, it can still be set up to reject it for all users. IMAuth does not yet support all of AD's authentication types, so it's possible that AD is configured to reject all the types it's trying.
Some possible solutions:
- 1. If you have control over the AD configuration, you can enable 'simple' authentication, for SSL-encrypted connections only. This causes the passwords to be sent in clear text, which is obviously a security problem. But if it's only allowed for SSL-encrypted connections, and depending on your network, this may be fine.
2. If you don't have control over the AD configuration, or your network requires especially high security, you can use IMAuth's 'Kerberos' setting, rather than ActiveDirectory or LDAP. ActiveDirectory has Kerberos built-in, and you can find instructions on how to configure IMAuth to use.
This doesn't require changing the AD server's configuration, and is quite secure, but only works when logging into InterMapper using RemoteAccess. Due to the way Kerberos works, it is not available for telnet or web logins.