AnsweredAssumed Answered

Certificate VPN authentication against LDAP using userPrincipalName (R80.10)

Question asked by Damjan Janev on Jun 9, 2018
Latest reply on Jul 29, 2018 by Damjan Janev

Has anyone tried and succeeded in this?

Since R80.10, sk61060 is no longer applicable and the relevant configuration is performed directly on the gateway object in VPN CLients -> Authentication. In the personal certificate i have

  • Fetch Username From: Subject Alternative Name.UPN in the Login option
  • Common lookup type: User-Principal-Name / UPN (userPrincipalName) in the User Directories

 

The first part seems to be working OK. I can verify in the logs that UPN is extracted from the certificate but it is not matched against an UPN in LDAP. Login fails with unknown user. If i change everything to default (DN based), it works OK.

If i change the Fetch Username From part to DN, and leave the lookup to be UPN based, authentication succeeds. Looks like the lookup is always DN based, no matter what is selected. I even tried to use custom lookup with userPrincipalName, but the behavior is the same. 

 

I am currently testing this on R80.10 with Jumbo Hotfix Accumulator Take 91

 

ETA:

Tried with Hotfix Accumulator Take 103 (latest). No change.

 

I am currently running some packet capture of the FW-DC communication an concluded that the above configuration results in LDAP search based on sAMAccountName instead on userPrincipalName

 

Outcomes