AD Login is working but SSO isn’t

  • Resolved AndrewBond

    (@andrewbond)


    1 year, 6 months ago

    I can logon with AD, but not with SSO
Account suffix on page "User" is set to @domain.com
I logged on with mySAM user name and try to open site home page.
Site opens without user bar. 
Log records:
2023-09-18T09:51:59.684270+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Service::findUsername [line 250] SSO provided username for environment variable "REMOTE_USER" is "mySAM'
2023-09-18T09:51:59.684550+00:00 [DEBUG] Dreitier\Nadi\Authentication\LoginService::getWordPressUser [line 479] Local WordPress user 'mySAM' could not be found
2023-09-18T09:51:59.684759+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Profile\Locator::locateBySuffix [line 95] Looking up SSO profile by UPN suffix fallback for credential 'Credentials={login='mySAM',sAMAccountName='mySAM',userPrincipalName='mySAM',netbios='',objectGuid='',wordPressUserId='',kerberosRealm=''}'
2023-09-18T09:52:00.025217+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Profile\Locator::locate [line 66] Profile match:
2023-09-18T09:52:00.025314+00:00 [ERROR] Dreitier\Nadi\Authentication\SingleSignOn\Service::authenticate [line 160] User could not be authenticated using SSO. Unable to locate a matching profile for 'mySAM'

But if I logon using wp-login.php, I can access wordpress and see my login on "Users" page with [NADI User] flag set.
I can login with only sAMAccount or sAMAccount + domain. Both accounts are working.

When I use "Test authentication" page, I successfully logon, Log output is:

INFO System Information:
INFO - PHP: "8.1.12"
INFO - WordPress: "6.3.1"
INFO - Active Directory Integration: "3.0"
INFO - Operating System: "Linux wp.domain.com 5.4.0-110-generic Ubuntu SMP Mon Apr 10 21:37:12 UTC 2023 x86_64"
INFO - Web Server: "fpm-fcgi"
INFO - adLDAP: "3.3.3 EXTENDED (20221201)"
INFO *** Establishing Active Directory connection ***
INFO A user tries to log in.
DEBUG Credentials={login='mySAM',sAMAccountName='mySAM',userPrincipalName='mySAM',netbios='',objectGuid='',wordPressUserId='',kerberosRealm=''}' with authenticatable suffixes: '@DOMAIN.COM'.
INFO LDAP connection is not encrypted
DEBUG account_suffix =
DEBUG base_dn = DC=domain,DC=com
DEBUG domain_controllers = domain.com
DEBUG ad_port = 389
DEBUG use_tls =
DEBUG use_ssl =
DEBUG network_timeout = 5
DEBUG allow_self_signed =
DEBUG ad_username =
DEBUG ad_password =
WARNING Username for the sync user does not contain a correct suffix. If the connection to the ad fails, this could be the cause. Please make sure you have added all UPN suffixes to the configuration tab User -> Account suffix.
DEBUG Trying to authenticate user with username 'mySAM' and account suffix '@DOMAIN.COM'
DEBUG Authentication successful for username 'mySAM' and account suffix '@DOMAIN.COM'.
WARNING Query 'UserQuery={principal='[email protected]',isGuid=''}' did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
DEBUG UserInfo for user 'UserQuery={principal='mySAM',isGuid=''}': cn={mySurname, myName}, sn={mySurname}, description={myName mySurname}, givenname={myName}, displayname={myName mySurname}, objectguid={59a23c-1111-4234-2222-f346710a44a}, useraccountcontrol={512}, objectsid={H3N?jP4U?D?u}}, samaccountname={mySAM}, userprincipalname={[email protected]}, mail={[email protected]}
[STATUS] User logged on.

What am I doing wrong?
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author schakko

    (@schakko)

    The Account suffix does not apply to SSO authentication, due to technical reasons.

    You have two options:

    1. Append the users’s UPN suffix in your webserver’s Kerberos authentication module
    2. Use the filter from https://docs.active-directory-wp.com/API/Authentication.html to manually rewrite the credentials on each login:

    add_filter('next_ad_int_auth_configure_credentials', function($credential) {
    $credential->setUpnSuffix('your-upn-suffix.domain');
    return $credential;
    }, 10, 1);

    Thread Starter AndrewBond

    (@andrewbond)

    Thank you for support!

    I changed wordpesss.conf for nginx, as:
    fastcgi_param HTTP_X_REMOTE_USER [email protected];

    In my AD sAMAccount is different from UPN
    sAMAccountName = mySAM
    UPN = [email protected]

    I still cannot login, but log is different now:

    2023-09-18T12:28:46.824502+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Service::findUsername [line 250] SSO provided username for environment variable "HTTP_X_REMOTE_USER" is "[email protected]'
    2023-09-18T12:28:46.824653+00:00 [DEBUG] Dreitier\Nadi\Authentication\LoginService::getWordPressUser [line 479] Local WordPress user '[email protected]' could not be found
    2023-09-18T12:28:46.824842+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Profile\Locator::locateBySuffix [line 82] Looking up SSO profile by Kerberos realm for credential 'Credentials={login='[email protected]',sAMAccountName='mySAM',userPrincipalName='[email protected]',netbios='',objectGuid='',wordPressUserId='',kerberosRealm=''}'
    2023-09-18T12:28:47.156199+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Profile\Locator::locate [line 66] Profile match: Match={type='kerberos_realm'}
    2023-09-18T12:28:47.156236+00:00 [DEBUG] Dreitier\Nadi\Authentication\SingleSignOn\Service::delegateAuth [line 191] Valid SSO profile for type 'kerberos_realm' found
    2023-09-18T12:28:47.156293+00:00 [INFO] Dreitier\Ldap\Connection::createConfiguration [line 122] LDAP connection is not encrypted
    2023-09-18T12:28:47.156317+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] account_suffix =
    2023-09-18T12:28:47.156335+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] base_dn = DC=domain,DC=com
    2023-09-18T12:28:47.156351+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] domain_controllers = domain.com
    2023-09-18T12:28:47.156367+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_port = 389
    2023-09-18T12:28:47.156383+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] use_tls =
    2023-09-18T12:28:47.156398+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] use_ssl =
    2023-09-18T12:28:47.156413+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] network_timeout = 5
    2023-09-18T12:28:47.156427+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] allow_self_signed =
    2023-09-18T12:28:47.156442+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_username = [email protected]
    2023-09-18T12:28:47.156457+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_password = *** protected password ***
    2023-09-18T12:28:47.160204+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query 'UserQuery={principal='[email protected]',isGuid=''}' did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
    2023-09-18T12:28:47.160923+00:00 [DEBUG] Dreitier\Ldap\Connection::findAttributesOfUser [line 424] UserInfo for user 'UserQuery={principal='mySAM',isGuid=''}': cn={Doe, John}, sn={Doe}, description={John Doe}, givenname={John}, displayname={John Doe}, objectguid={5233eabc-1111-2222-87a5-f3b0a110a44a}, useraccountcontrol={512}, objectsid={^A^E^@^@^@^E^U^@^@^@1111191>jPVU<8e>D?u}^D^@^@}, samaccountname={mySAM}, userprincipalname={[email protected]}, mail={[email protected]}
    2023-09-18T12:28:47.160987+00:00 [INFO] Dreitier\Nadi\Authentication\LoginService::authenticate [line 142] A user tries to log in.
    2023-09-18T12:28:47.161021+00:00 [INFO] Dreitier\Ldap\Connection::createConfiguration [line 122] LDAP connection is not encrypted
    2023-09-18T12:28:47.161041+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] account_suffix =
    2023-09-18T12:28:47.161059+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] base_dn = DC=domain,DC=com
    2023-09-18T12:28:47.161075+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] domain_controllers = domain.com
    2023-09-18T12:28:47.161090+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_port = 389
    2023-09-18T12:28:47.161105+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] use_tls =
    2023-09-18T12:28:47.161125+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] use_ssl =
    2023-09-18T12:28:47.161141+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] network_timeout = 5
    2023-09-18T12:28:47.161155+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] allow_self_signed =
    2023-09-18T12:28:47.161170+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_username =
    2023-09-18T12:28:47.161185+00:00 [DEBUG] Dreitier\Ldap\Connection::createConfiguration [line 130] ad_password = *** protected password ***
    2023-09-18T12:28:47.161200+00:00 [WARNING] Dreitier\Ldap\Connection::createConfiguration [line 136] Username for the sync user does not contain a correct suffix. If the connection to the ad fails, this could be the cause. Please make sure you have added all UPN suffixes to the configuration tab User -> Account suffix.
    2023-09-18T12:28:47.161250+00:00 [INFO] Dreitier\Ldap\Connection::checkPorts [line 621] Checking domain controller ports:
    2023-09-18T12:28:47.162100+00:00 [INFO] Dreitier\Ldap\Connection::checkPort [line 654] Checking address 'domain.com' and port 389 - OK
    2023-09-18T12:28:47.163350+00:00 [INFO] Dreitier\Nadi\Authentication\SingleSignOn\Service::detectAuthenticatableSuffixes [line 297] Authenticatable suffixes are ignored
    2023-09-18T12:28:47.163397+00:00 [INFO] Dreitier\Nadi\Authentication\SingleSignOn\Service::tryAuthenticatableSuffixes [line 284] User has been authenticated through SSO, running post authentication
    2023-09-18T12:28:47.163423+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query 'UserQuery={principal='[email protected]',isGuid=''}' did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
    2023-09-18T12:28:47.163459+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query 'UserQuery={principal='John.Doe',isGuid=''}' did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
    2023-09-18T12:28:47.163489+00:00 [DEBUG] Dreitier\Ldap\Attribute\Service::resolveLdapAttributes [line 207] Cannot find valid ldap attributes for the given user.
    2023-09-18T12:28:47.163509+00:00 [ERROR] Dreitier\Nadi\Authentication\LoginService::postAuthentication [line 438] Not creating/updating user because expected LDAP attributes could not be loaded.
    2023-09-18T12:28:47.163563+00:00 [ERROR] Dreitier\Nadi\Authentication\SingleSignOn\Service::authenticate [line 160] User could not be authenticated using SSO. Unable to authenticate user [email protected]
    • This reply was modified 1 year, 6 months ago by AndrewBond.
    Plugin Author schakko

    (@schakko)

    I am not sure if we can sort this issue out without any further digging into it. Can you re-check if in the logs it is really printed “[email protected]” for userPrincipalName in the first log line and principal in the second line?

    2023-09-18T12:28:47.160923+00:00 [DEBUG] Dreitier\Ldap\Connection::findAttributesOfUser [line 424] UserInfo for user 'UserQuery={principal='mySAM',isGuid=''}': cn={Doe, John}, sn={Doe}, description={John Doe}, givenname={John}, displayname={John Doe}, objectguid={5233eabc-1111-2222-87a5-f3b0a110a44a}, useraccountcontrol={512}, objectsid={^A^E^@^@^@^E^U^@^@^@1111191>jPVU<8e>D?u}^D^@^@}, samaccountname={mySAM}, userprincipalname={[email protected]}, mail={[email protected]}

....

2023-09-18T12:28:47.163423+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query 'UserQuery={principal='[email protected]',isGuid=''}' did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped

    The second query should return the same result as your first query.

    Thread Starter AndrewBond

    (@andrewbond)

    yes. I’m absolutely sure. The first query has returned all correct attributes from AD.

    2023-09-18T12:28:47.160923+00:00 [DEBUG] Dreitier\Ldap\Connection::findAttributesOfUser [line 424] UserInfo for user ‘UserQuery={principal=’mySAM’,isGuid=”}’: cn={Doe, John}, sn={Doe}, description={…}, givenname={John}, displayname={…}, objectguid={…}, useraccountcontrol={512}, objectsid={…}, samaccountname={mySAM}, userprincipalname={[email protected]}, mail={[email protected]}

    2023-09-18T12:28:47.163423+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query ‘UserQuery={principal=’[email protected]’,isGuid=”}’ did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
    2023-09-18T12:28:47.163459+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query ‘UserQuery={principal=’John.Doe’,isGuid=”}’ did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped

    If I remove Account suffix from settings, first query looks like:

    2023-09-19T06:09:25.281574+00:00 [WARNING] Dreitier\Ldap\Connection::findAttributesOfUser [line 415] Query ‘UserQuery={principal=’[email protected]’,isGuid=”}’ did not return any values. Does the sAMAccountName or userPrincipalName exist? Is the provided base DN valid? Is the Kerberos realm mapped
    2023-09-19T06:09:25.282395+00:00 [DEBUG] Dreitier\Ldap\Connection::findAttributesOfUser [line 424] UserInfo for user ‘UserQuery={principal=’mySAM’,isGuid=”}’: cn={Doe, John}, sn={Doe}, description={…}, givenname={John}, displayname={…}, objectguid={…}, useraccountcontrol={512}, objectsid={…}, samaccountname={mySAM}, userprincipalname={[email protected]}, mail={[email protected]}

    On Test Authentication Page I can logon with mySAM, [email protected] or [email protected]

    If I remove Account suffix from settings, I can only logon with [email protected] or [email protected]

    Plugin Author schakko

    (@schakko)

    I’am unable to reproduce the issue with the latest 3.1.0 version. A quick question: Do you have added valid credentials to Sync to WordPress and is the username UPN format and not just the sAMAccountName?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘AD Login is working but SSO isn’t’ is closed to new replies.