Authentik Security, Part Twelve
Configure Authentik
Enable LDAPS
Part 3. Install and Configure Active Directory Federation Service (ADFS)
Today I am going to pick up where I left off yesterday. I am hoping I can finish up part 3 today.
Steps performed from desktop
- From a browser go to
https://fs-01.domain.local/adfs/ls/idinitiatedsignon
The page loads with an error, which the walkthrough says is to be expected. To resolve the error I switch to PowerShell.
Steps performed from desktop via Windows Terminal
Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
FS-01.domain.local false
Set-AdfsProperties -EnabledPInitiatedSignonPage $true
Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
FS-01.domain.local True
Awesome! When I refresh my browser it is loading without any errors now.
Steps performed on desktop via Server Manager
- Right click on
DC-04
and openAD FS Management
- I expand
Service
- I go to
Endpoints
The guide then says to enable Token Issuance for SAML 2.0/WS-Federation
but then shows a picture of the disable button. I'm guessing that's his way of knowing it is enabled?
- I go to
Authentication Methods
- Under
Primary Authentication Methods
I clickEdit
- Under
Intranet
I uncheckWindows Authentication
- I click
OK
- Under
I refresh my browser to test. My test is successful! I love picking up steam! That completes part 3 for me, so now I'll try going back to Authentik and seeing if I can get it to connect to Active Directory.
Steps performed from desktop via browser
- I log in to Authentik
- I navigate to the
Admin Interface
- I go to
Directory
and click onFederation & Social Logins
- I click on
Create
- I select
LDAP Source
- I click
Next
- Name:
domain.local
- Server URI:
ldaps://dc-02.domain.local,ldaps://dc-03.domain.local,ldaps://dc-04.domain.local
- I uncheck
Enable StartTLS
- Bind CN:
[email protected]
- Base DN:
domain.local
- User Property Mappings:
authentik default LDAP Mapping: Mail
authentik default LDAP Mapping: Name
authentik default Active Directory Mapping: givenName
authentik default Active Directory Mapping: sAMAccountName
authentik default Active Directory Mapping: sn
authentik default Active Directory Mapping: userPrincipal Name
- Group Property Mappings:
authentik default LDAP Mapping: Name
- I click on
Finish
- I select
So it's still doing the exact same thing it had done before. When I hit the Sync
button it logs that I hit it but nothing ever syncs, and I see no errors or explanation for it. So where do I go from here with this? I'm honestly a little stumped. Well I think I'll start by making certain everything on the server is up to date.
Steps taken from AUTHENTIK-01
sudo apt update
sudo apt upgrade -y
sudo reboot
cd /apps/authentik
sudo docker-compose down
wget -O docker-compose.yml https://goauthentik.io/version/2023.8/docker-compose.yml
sudo docker-compose up -d
I wasn't expecting much, so I am not surprised when there is no change to the issue. When I hit the resync
button it turns green for a few seconds and then back to blue. The event log shows the model was updated but it does not list ldap_sync_active-directory
under System Tasks like the picture in their integration documentation. After a little google searching I came across this page.
Steps taken from AUTHENTIK-01
sudo docker-compose run --rm work ldap_sync domain.local
This came back with a number of screens worth of text, but the error basically boiled down to:
In _validate_attribute_type raise LDAPInvalidDnError('attribute type not present')
OK, so it has something to do with the DN
. What did I put for the DN
again? domain.local
. Well that won't work. So exactly how do I find the DN
that Authentik would be looking for?
Steps performed on desktop via Windows Terminal
dsquery *
"DC=domain,DC=local"
So in Authentik I change the DN to DC=domain,DC=local
Poof! The sync status is showing a whole bunch of items synced now. Hooray! Wow, I am glad I actually made some progress with this!