Sign in Subscribe
Authentik

Authentik Security, Part Three

David Buhlman

3 min read
Authentik Security, Part Three
Photo by John Salvino / Unsplash

Configure Authentik

So I'd like to connect my lab's Active Directory to Authentik. It would be great to use the accounts already set up there, and I'll need to know that's working first before I connect my other applications right? So this seems like the best place to start.

Steps performed on Desktop via Server Manager

  • Select AD DS
  • Right click DC-03
  • Click on Active Directory User and Groups
  • Right click on Managed Service Accounts
  • Navigate to New
  • Click on User
  • Set a name of _service_authentik
  • I right click on domain domain.local
  • I click on Delegate Control
    • I click on Next in the Delegation of Control Wizard
    • I add _service_authentik
    • I click on Next
    • Delegate the following common tasks:
      • Create, delete, and manage user accounts
      • Reset user passwords and force password change at next logon
      • Read all user information
    • I click on Next
    • I click on Finish to complete the Delegation of Control Wizard

I'm stuck on Authentik's step 7. Where do I get to these domain security properties again? Oh yeah I remember this now!

  • Click on View
  • Click on Advanced Features
  • Right click on domain domain.local
  • Click on Properties
  • Navigate to the Security tab
  • Select _service_authentik and add the following:
    • Replicating Directory Changes
    • Replicating Directory Changes All
    • Replication Directory Changes in Filtered Set
    • Replication synchronization
    • Click Apply then OK

Steps performed in Authentik Security

  • I open the admin portal
  • I navigate Directory then Federation & Social Login
  • I click on Create
    • I select type: LDAP Source
    • I click on Next
    • Name: domain.local
    • Slug: domain.local
    • Enabled: Yes
    • Sync User: Yes
    • User password writeback: Yes
    • Sync Groups: Yes
    • Server URI: ldaps://dc-03.domain.local,ldaps://dc-02.domain.local
    • Enable StartTLS: No
    • Bind CN: [email protected]
    • Base DN: domain.local
    • User Property Mappings: All listings for LDAP and Active Directory
    • Group Property Mappings: authentik default LDAP Mapping: Name
    • Group: Blank
    • User Path: goauthentic.io/sources/%*(slug)s
    • Addition User DN: Blank
    • User Object Filter: (&(objectClass=user)(!(objectClass=computer)))
    • Group Object Filter: (objectClass=group)
    • Group Membership Field: member
    • Object uniqueness Field: objectSid
    • I click on Finish

It seems as if nothing is happening in Authentik. The logs show it is trying but it gives no indication of failure or success. Let's do some external testing.

Steps performed on Desktop via ldp.exe

  • Connecting to DC-03.domain.local
    • Error 81 = ldap_connect(hLdap, NULL)
    • Server error: (empty)
    • Error <0x51>: Fail to connect to dc-03.domain.local

I test a connection with SSL and it is able to be established. Why in the world in 2023 is LDAPS not enabled by default? No point in arguing with Microsoft about it, let's just turn it on.

Enabling LDAPS

Steps performed on DC-03

  • Create file C:\Request.inf
  • I copy/paste the following into Request.inf:
;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=DC-03.domain.local" ; replace with the FQDN of the DC  
KeySpec = 1  
KeyLength = 1024  
; Can be 1024, 2048, 4096, 8192, or 16384.  
; Larger key sizes are more secure, but have  
; a greater impact on performance.  
Exportable = TRUE  
MachineKeySet = TRUE  
SMIME = False  
PrivateKeyArchive = FALSE  
UserProtected = FALSE  
UseExistingKeySet = FALSE  
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"  
ProviderType = 12  
RequestType = PKCS10  
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------
  • I open PowerShell
  • certreq -new request.inf request.req
    • CertReq: Request Created

Now the next step from Microsoft says to submit the request.req file to a Microsoft or third party CA. That's way overblown for my homelab. Instead I'm trying this from Dell.

  • New-SelfSignedCertificate -DnsName dc-03.domain.local, dc-03 - CertStoreLocation cert:LocalMachineMy
  • I open certclm.msc
  • I navigate to Personal and then Certificates
  • I copy the cert to Trusted Root Certification Authorities > Certificates

Testing again I still get the same error. So it is probably a firewall issue I think? I check the firewall and confirm that it is set to allow for port 636. I decide to test from DC-03 via ldp.exe and it worked. So it will work locally but not remotely. Hmmm.....what else could it be? Perhaps it needs a reboot? Afterwards the error remains, and I am out of time so I will have to leave it here for today.