Add an Active Directory Asset - in 6.0.10 SPP

Hello Safeguard Experts,

I am adding an Active Directory (Product) Asset, and I have a very basic question. My client's Active Directory domain is not discoverable by the domain name. And I don't see a field where I can enter an IP address.

Does SPP allow/work by using an IP address in the Domain Name field. I am getting an error "No reachable domain controllers found". But I am able to telnet IP:636 and IP:389 from the  SPP network diagnostic tool.

I wanted to share the screenshots but I am unable to do that in this post. Insert is asking me to add a link instead of browsing the files. 

Appreciate an earliest response.

Thanks,

Rajeeb

Parents
  • Hi Rajeeb,

    6.0.x LTS version of SPP currently depends on DNS to resolve the Domain Controllers in the Domain.

    We did add this as a feature in the Feature release branch of SPP which allows specifying a Domain Controller (where you can use an IP address), this requires upgrading to the Feature release, the latest feature release of 6.11 has this option.

    Once upgraded to the latest feature release version of SPP > Under Identity and authentication > Select the AD domain provider > edit > expand Advanced drop down > enable Specify Domain Controller check box to add the Domain Controller for the domains required.

    ----------

    Information on this feature from the Admin guide states the following:

    Domain Controllers (for Active Directory)

    Instead of having Safeguard for Privileged Passwords automatically find domain controllers from a DNS and CLDAP ping, you can specify domain controllers.

    In the desktop client, select Specify domain controllers. In the text box, enter the network addresses, which may be DNS names or IP addresses, separated by spaces, commas, or semicolons. If you have multi-domains, you must provide a domain controller for every domain. Do not enter the domain itself.

    The domain controllers are used in the order entered. During the test connection from the Connection tab, if SPP does not find a domain controller in the list, the test connection fails and an error is returned.

    Adding a read-only domain controller will be limited in functionality. For example, login will work but password or SSH key check and change will not work.

    During a process, if one domain controller does not respond, the processes continue with the next domain controller. The non-responsive domain controller is blocked for about 5 minutes.

    ----------

    Thanks!

  • Thanks Tawfiq. 

    We upgraded our non-prod environment to 6.11 and I can see the option to add domain controller. Now,

    1. I am able to telnet my domain controller (IP address) over 636 from the SPP network diagnostic tool - This confirms that the network path is open

    2. I am able to connect to the domain controller (IP address) over 636 using Apache Directory Studio - That means my service account and password working

    But, when I tried adding this as asset where I used the domain name and then check the domain controller check box. Used the IP address of the domain controller. Then used the same username and password that I used in apache directory studio. The connection showed me it's connecting and 11% progressed and then it's failed. The error at the event log says "Failed with error: (0x8002=7203A) The server is not operational. Don't understand that. I wish I can upload some screenshots but here there is no option to upload (ask for a link only)

    I am able to connect to the same domain controller through Apache Directory Studio but can't connect through SPP.

    Any advise. I am going to raise a service ticket too.

    Regards,

    Rajeeb

  • Hi Rajeeb,

    Thanks for the update.

    Try without the option for Use SSL to see if that makes a difference. If it works without SSL then it could be related to the certificate using the hostname rather than the IP address, so you may have to specify the domain controller using the DC's FQDN rather than IP.

    If the issue persists, our support team will follow up with you via the service request that I see you had opened with us.

    Thanks!

Reply
  • Hi Rajeeb,

    Thanks for the update.

    Try without the option for Use SSL to see if that makes a difference. If it works without SSL then it could be related to the certificate using the hostname rather than the IP address, so you may have to specify the domain controller using the DC's FQDN rather than IP.

    If the issue persists, our support team will follow up with you via the service request that I see you had opened with us.

    Thanks!

Children
  • Hi Group,

    Thought to give you all an update and something to think as a possible enhancement to the AD integration configuration.

    1. We opened the 389, 3268, 636, 3269 ports

    2. We have 4 DCs in our non-prod, got all their certs, cert chains included in SPP trust store

    3. Updated the DNS server to resolve the IP address of the domain controllers FQDNs

    4. Connected over 389 first and then switched to 636. It took a few times but finally got connected. Successfully discovered assets and accounts

    But for Prod, we might not take the same approach. We will have to connect over 636 and 3269 only as our client has a requirement to pass the pen test before moving to Prod.

    Few insights from our investigations -

    We understood that SPP performs two steps to add a directory asset. In the desktop client, it does both the steps in one go, hence the debug errors are very confusing.

    1. Test Connection - it works well if your ports are open and you have the certs installed in SPP trust store.. Try this with the Swagger API or through Web Client to be more sure.

    2. Discover Schema (User, Computer and Group) - For this it calls it's own API..3 times. You will see discover schema failed error as well if you are not lucky

    IP/.../DiscoverSchema
    IP/.../DiscoverSchema
    IP/.../DiscoverSchema

    My analysis (I could be wrong) says that when the directory schema objects data are requested, read, encrypted and the response payload is sent back over a network that traverse through multiple hops ..(in my case it from my org's Azure cloud tenancy to client orgs Azure cloud tenancy to client's data center),  thr request is timing out. Below error caught my eyes..(red lines)

    System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)

    We tried reading the schema from the swagger API by increasing the "CommandTimeout": 300, and it started working. The default time out is 20 sec. I could be wrong but we updated the asset over Swagger API by increasing the command timeout and it worked. I have reported this to the support helpdesk for further investigation.

    Thanks,

    Rajeeb

    Detailed Log ->

    2021-10-04T01:37:42.517Z [Information] ( 093) {LocalizedActionFilterAttribute.OnActionExecuting} Starting action: [SPP Super Admin (12)] POST 10.29.56.137/.../DiscoverSchema (AssetsController.DiscoverSchemaAsync)
    2021-10-04T01:37:42.568Z [Debug] ( 093) {} Using 'ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Verify SSL)' server
    2021-10-04T01:37:42.570Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:42.976Z [Debug] ( 093) {} Using 'ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Verify SSL)' server
    2021-10-04T01:37:42.978Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:42.978Z [Information] ( 093) {DirectorySearch.PagedQuery} Invoking paged query on '"CN=mydomaincontroller,CN=Servers,CN=NonProd-PRT,CN=Sites,CN=Configuration,DC=mydomain,DC=abc,DC=com"' with scope 'Base' and filter '"(objectClass=*)"'
    2021-10-04T01:37:43.370Z [Debug] ( 093) {} Using 'ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Verify SSL)' server
    2021-10-04T01:37:43.373Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:43.374Z [Information] ( 093) {DirectorySearch.PagedQuery} Invoking paged query on '"CN=mydomaincontroller,OU=Domain Controllers,DC=mydomain,DC=abc,DC=com"' with scope 'Base' and filter '"(objectClass=*)"'
    2021-10-04T01:37:43.766Z [Debug] ( 093) {} Clear cached servers for 'mydomain.abc.com-41'
    2021-10-04T01:37:43.769Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:37:43.770Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Selected 'ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Verify SSL)' server
    2021-10-04T01:37:43.772Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:44.161Z [Information] ( 093) {} Searching for forest domains for NonProd NonSSL
    2021-10-04T01:37:44.164Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:37:44.165Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:44.166Z [Information] ( 093) {DirectorySearch.PagedQuery} Invoking paged query on '"CN=Partitions,CN=Configuration,DC=mydomain,DC=abc,DC=com"' with scope 'OneLevel' and filter '"(&(objectClass=CrossRef)(systemFlags=3))"'
    2021-10-04T01:37:44.555Z [Debug] ( 093) {} Look up domain unique IDs for domain 'mydomain.abc.com'
    2021-10-04T01:37:44.558Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:37:44.559Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:44.561Z [Information] ( 093) {DirectorySearch.PagedQuery} Invoking paged query on '"DC=mydomain,DC=abc,DC=com"' with scope 'Base' and filter '"(objectClass=*)"'
    2021-10-04T01:37:44.956Z [Debug] ( 093) {} Searching for forest schema
    2021-10-04T01:37:44.959Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:37:44.960Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:44.962Z [Debug] ( 093) {} Invoking query on '"CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=abc,DC=com"' with scope 'Base'
    2021-10-04T01:37:45.659Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:37:45.662Z [Debug] ( 093) {LdapConfigurationFactory.GetLdapConfig} Using ldap config for server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)"
    2021-10-04T01:37:45.662Z [Information] ( 093) {DirectorySearch.PagedQuery} Invoking paged query on '"CN=Schema,CN=Configuration,DC=mydomain,DC=abc,DC=com"' with scope 'OneLevel' and filter '"(objectClass=classSchema)"'
    2021-10-04T01:37:53.635Z [Debug] ( 018) {SecureRouter.ProcessIncoming} Message received from 327857313.f9b7dd5947de4ed38f6d750523f176b1.PangaeaWatchdog
    2021-10-04T01:37:53.638Z [Debug] ( 159) {} Returning health check response
    2021-10-04T01:37:53.644Z [Debug] ( 159) {} [SqlConnectionFactory] CheckLists Cached Total Keys: 1. Total Connections: 1. Closing: 0
    2021-10-04T01:37:53.645Z [Debug] ( 159) {} [SqlConnectionFactory] Connections: (75750:197) default/
    2021-10-04T01:37:53.646Z [Debug] ( 159) {} [SqlConnectionFactory] CheckLists InUse Total Keys: 1. Total Connections: 0. Closing: 0
    2021-10-04T01:37:53.648Z [Debug] ( 159) {} [SqlConnectionFactory] Connections:
    2021-10-04T01:37:53.651Z [Debug] ( 159) {ApplianceBusMiniService.SendMessage} (f9b7dd5947de4ed38f6d750523f176b1.PangaeaWatchdog) Sending 'HealthCheck' message. Size: 329
    2021-10-04T01:37:53.652Z [Debug] ( 159) {SecureDealer.SendSocketMessage} Sending message to PangaeaWatchdog
    2021-10-04T01:37:53.654Z [Debug] ( 159) {CoreBusMiniService.ProcessMessageAsync} (f9b7dd5947de4ed38f6d750523f176b1.PangaeaWatchdog) Received 'HealthCheck' message. Size: 130
    2021-10-04T01:38:16.390Z [Error] ( 093) {DirectorySearch.Query} Could not connect to server "ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)" for domain "mydomain.abc.com"
    System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
    at LinqToLdap.QueryCommands.StandardQueryCommand.HandlePagedRequest(DirectoryConnection connection, PageResultRequestControl pageRequest, ILinqToLdapLogger log)
    at LinqToLdap.QueryCommands.StandardQueryCommand.Execute(DirectoryConnection connection, SearchScope scope, Int32 maxPageSize, Boolean pagingEnabled, ILinqToLdapLogger log, String namingContext)
    at LinqToLdap.DirectoryQueryProvider.Execute(Expression expression)
    at LinqToLdap.QueryProvider.Execute[TResult](Expression expression)
    at LinqToLdap.QueryableExtensions.ToPage[TSource](IQueryable`1 source, Int32 pageSize)
    at Pangaea.Common.DirectoryServices.DirectorySearch.PagedQuery[T](DirectoryContext context, String searchBase) in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\DirectorySearch.cs:line 273
    at Pangaea.Common.DirectoryServices.DirectorySearch.Query[T](Func`3 f) in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\DirectorySearch.cs:line 164
    2021-10-04T01:38:16.393Z [Information] ( 093) {} Marking 'ldaps:\\xx.xx.xx.xx@mydomain.abc.com:636 (Read-Only) (Verify SSL)' as unreachable
    2021-10-04T01:38:16.394Z [Debug] ( 093) {ForestServerCache.GetNextDomainServer} Searching for DomainController server for domain mydomain.abc.com. UseSsl: True, VerifySsl: True, IsWritable: False
    2021-10-04T01:38:16.397Z [Warning] ( 093) {UnhandledExceptionErrorAttribute.OnException} Executed action: [SPP Super Admin (12)]POST 10.29.56.137/.../DiscoverSchema = 400 BadRequest
    LocalizationKeyException: (60301) No reachable 'DomainController' servers found for domain 'mydomain.abc.com'.
    at Pangaea.Common.DirectoryServices.ForestServerCache.GetWorkingSet in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\ForestServerCache.cs line 218
    at Pangaea.Common.DirectoryServices.ForestServerCache.GetNextDomainServer in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\ForestServerCache.cs line 89
    at Pangaea.Common.DirectoryServices.LdapServerDiscovery.GetPreferredDirectoryServer in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\LdapServerDiscovery.cs line 71
    at Pangaea.Common.DirectoryServices.LdapConfigurationBuilder.Build in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\LdapConfigurationBuilder.cs line 94
    at Pangaea.Common.DirectoryServices.DirectorySearch.Query in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\DirectorySearch.cs line 137
    at Pangaea.Common.DirectoryServices.ActiveDirectoryUtils.LookupSchema in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\ActiveDirectoryUtils.cs line 21
    at Pangaea.Common.DirectoryServices.Extensions.ActiveDirectoryProviderExtensions.GetSchema in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\Extensions\ActiveDirectoryProviderExtensions.cs line 61
    at Pangaea.Common.DirectoryServices.Extensions.ActiveDirectoryProviderExtensions.Initialize in E:\Build2\work\c8070d00f024f513\src\Common\DirectoryServices\Extensions\ActiveDirectoryProviderExtensions.cs line 36
    at Pangaea.Data.Middleware.Core.V3.IdentityProviders.DirectoryProviderLogic.<GetSchemaAsync>d__10.MoveNext in E:\Build2\work\c8070d00f024f513\src\Data\Middleware\Core\V3\IdentityProviders\DirectoryProviderLogic.cs line 191
    at Pangaea.Service.Core.Controllers.AssetsController.<DiscoverSchemaAsync>d__87.MoveNext in E:\Build2\work\c8070d00f024f513\src\Service\Core\Controllers\V3\Partitions\AssetsController_DirectorySearch.cs line 255