Authentik Security, Part Twelve

Authentik Security, Part Twelve
Photo by Franck / Unsplash

Configure Authentik

Enable LDAPS

Part 3. Install and Configure Active Directory Federation Service (ADFS)

Today I am going to pick up where I left off yesterday. I am hoping I can finish up part 3 today.

Steps performed from desktop

  • From a browser go to https://fs-01.domain.local/adfs/ls/idinitiatedsignon

The page loads with an error, which the walkthrough says is to be expected. To resolve the error I switch to PowerShell.

Steps performed from desktop via Windows Terminal

  • Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
    • FS-01.domain.local false
  • Set-AdfsProperties -EnabledPInitiatedSignonPage $true
  • Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
    • FS-01.domain.local True

Awesome! When I refresh my browser it is loading without any errors now.

Steps performed on desktop via Server Manager

  • Right click on DC-04 and open AD FS Management
  • I expand Service
  • I go to Endpoints

The guide then says to enable Token Issuance for SAML 2.0/WS-Federation but then shows a picture of the disable button. I'm guessing that's his way of knowing it is enabled?

  • I go to Authentication Methods
    • Under Primary Authentication Methods I click Edit
    • Under Intranet I uncheck Windows Authentication
    • I click OK

I refresh my browser to test. My test is successful! I love picking up steam! That completes part 3 for me, so now I'll try going back to Authentik and seeing if I can get it to connect to Active Directory.

Steps performed from desktop via browser

  • I log in to Authentik
  • I navigate to the Admin Interface
  • I go to Directory and click on Federation & Social Logins
  • I click on Create
    • I select LDAP Source
    • I click Next
    • Name: domain.local
    • Server URI: ldaps://dc-02.domain.local,ldaps://dc-03.domain.local,ldaps://dc-04.domain.local
    • I uncheck Enable StartTLS
    • Bind CN: [email protected]
    • Base DN: domain.local
    • User Property Mappings:
      • authentik default LDAP Mapping: Mail
      • authentik default LDAP Mapping: Name
      • authentik default Active Directory Mapping: givenName
      • authentik default Active Directory Mapping: sAMAccountName
      • authentik default Active Directory Mapping: sn
      • authentik default Active Directory Mapping: userPrincipal Name
    • Group Property Mappings:
      • authentik default LDAP Mapping: Name
    • I click on Finish

So it's still doing the exact same thing it had done before. When I hit the Sync button it logs that I hit it but nothing ever syncs, and I see no errors or explanation for it. So where do I go from here with this? I'm honestly a little stumped. Well I think I'll start by making certain everything on the server is up to date.

Steps taken from AUTHENTIK-01

  • sudo apt update
  • sudo apt upgrade -y
  • sudo reboot
  • cd /apps/authentik
  • sudo docker-compose down
  • wget -O docker-compose.yml https://goauthentik.io/version/2023.8/docker-compose.yml
  • sudo docker-compose up -d

I wasn't expecting much, so I am not surprised when there is no change to the issue. When I hit the resync button it turns green for a few seconds and then back to blue. The event log shows the model was updated but it does not list ldap_sync_active-directory under System Tasks like the picture in their integration documentation. After a little google searching I came across this page.

Steps taken from AUTHENTIK-01

  • sudo docker-compose run --rm work ldap_sync domain.local

This came back with a number of screens worth of text, but the error basically boiled down to:

In _validate_attribute_type raise LDAPInvalidDnError('attribute type not present')

OK, so it has something to do with the DN. What did I put for the DN again? domain.local. Well that won't work. So exactly how do I find the DN that Authentik would be looking for?

Steps performed on desktop via Windows Terminal

  • dsquery *
    • "DC=domain,DC=local"

So in Authentik I change the DN to DC=domain,DC=local
Poof! The sync status is showing a whole bunch of items synced now. Hooray! Wow, I am glad I actually made some progress with this!