[External]Re: AD Shibboleth Authentication

Craig Pluchinsky craigp at iup.edu
Mon Oct 21 07:57:46 EDT 2019

Hi Chris,

We are using Shib IDPs on Linux and see the logs in AD with a source network address of the IDP nodes.  We didn't make any config changes on the AD side and are using adAuthenticator.  Try looking for event ID 4624 in the security event logs of your domain controllers.

Craig Pluchinsky
IT Services
Indiana University of Pennsylvania

From: users <users-bounces at shibboleth.net> on behalf of Christopher Bland <chris at fdu.edu>
Sent: Friday, October 18, 2019 2:54 PM
To: Shib Users <users at shibboleth.net>; db at alaska.edu <db at alaska.edu>
Subject: Re: [External]Re: AD Shibboleth Authentication

Hi David & Peter,

Thank you for the good info.  I think I need to restate my question.

My AD admins have a brand new auditing tool and they are trying to find a way to track user authentications on the AD side.  They are going to be generating all kinds of reports to management and can't fully trust their data because it doesn't show all user activity.

Does anyone have a Shibboleth IDP running on Linux with AD authentication that creates authentication logs in AD?  If so, what kind of special hoops did you have to jump through?


From: IAM David Bantz <dabantz at alaska.edu>
Sent: Friday, October 18, 2019 1:52 PM
To: Shib Users <users at shibboleth.net>
Cc: Christopher Bland <chris at fdu.edu>; Peter Schober <peter.schober at univie.ac.at>
Subject: [External]Re: AD Shibboleth Authentication

I use the JAAS config to AD as well.
The logger org.ldaptive.auth provides detail about the AD responses to authN requests if set to DEBUG
(including, IIRC, detail data code that indicates the reason for authN failure - 532=expired pwd, 52e=bad pwd, 701=expired acct, etc.).

David Bantz

On Fri, Oct 18, 2019 at 9:06 AM Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:
* Christopher Bland <chris at fdu.edu<mailto:chris at fdu.edu>> [2019-10-18 18:31]:
> I have a cluster of IDPs which use the JAAS config to authenticate
> users against AD.  My jaas.config uses bindDN with bindCredential
> and works fine.  My question is on the AD side.  I am not seeing any
> kind of log for authentication being create in AD.  I am wondering
> what kind of experiences other admins have with regard to tracking
> user authentications in AD?

No idea but with non-JAAS you have logs for those events from the IDP itself:

2019-10-18 17:03:35,132 - $IPADDR - INFO
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '$USER' failed

2019-10-18 17:03:40,218 - $IPADDR - INFO
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '$USER' succeeded

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191021/509c9bb6/attachment.html>

More information about the users mailing list