Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 65 replies
  • Subscribers 0 subscribers
  • Views 49545 views
  • Users 0 members are here
Options
Suggested

[9.191][BUG] OWA login via WAF fails with "Unknown username and or password"

Nikolai Wolf
ActiveSync is working, because I can connect to a Exchange mailbox, but whenever I want to connect through the webappplication (Owa), It fails. 

Example:
I try connect to Peter@example.com with ActiveSync, it works.
I try to connect to Peter@example.com with owa (Owa appears after I entered the credentials for the form authentication), it fails.

It used to work, but suddenly it stopped working.
Parents
  • 0
    Hi there,

    I've found the bug. After debugging I've found that the reverseproxy ask for the "sAMAccountName" attribute in the wrong format. See log:
    [HTML]2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="Trying regular bind with bind_dn and password."
    2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="ldapFilter: (&(objectClass=user)(objectcategory=Person)(sAMAccountName=mydom\klaus))"
    2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="do_auth_directory() directory authentication failed. No such user." [/HTML]

    The "sAMAccountName" is not "mydom\klaus"! This is wrong, The "sAMAccountName" is just "klaus"! Therefore the DC can't find the user.

    This occurs if I use basic pre authentication.
Reply
  • 0
    Hi there,

    I've found the bug. After debugging I've found that the reverseproxy ask for the "sAMAccountName" attribute in the wrong format. See log:
    [HTML]2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="Trying regular bind with bind_dn and password."
    2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="ldapFilter: (&(objectClass=user)(objectcategory=Person)(sAMAccountName=mydom\klaus))"
    2014:01:29-17:22:29 asg aua[15620]: id="3007" severity="debug" sys="System" sub="auth" name="do_auth_directory() directory authentication failed. No such user." [/HTML]

    The "sAMAccountName" is not "mydom\klaus"! This is wrong, The "sAMAccountName" is just "klaus"! Therefore the DC can't find the user.

    This occurs if I use basic pre authentication.
Children
  • 0 in reply to mod2402
    If I use FBA for OWA with username and password (without domain):
    2014:01:29-18:03:44 asg aua[23596]: id="3007" severity="debug" sys="System" sub="auth" name="Trying regular bind with bind_dn and password."
    2014:01:29-18:03:44 asg aua[23596]: id="3007" severity="debug" sys="System" sub="auth" name="ldapFilter: (&(objectClass=user)(objectcategory=Person)(sAMAccountName=klaus))"
    2014:01:29-18:03:45 asg aua[23596]: id="3007" severity="debug" sys="System" sub="auth" name="do_auth_directory() - ldap user object returned by search:$VAR1 = bless( { 


    All seems OK in aua.log.

    But other problems in WAF log:
    2014:01:29-18:03:45 asg reverseproxy: [Wed Jan 29 18:03:45.558377 2014] [auth_form:error] [pid 23153:tid 1497856880] [client 109.44.1.166:2307] AH01807: user 'klaus': authentication failure for "/owa": password Mismatch, referer: my.domain.tld/webmail_form


    If I use FBA for OWA with domain\username and password:
    2014:01:29-18:13:24 asg aua[24997]: id="3007" severity="debug" sys="System" sub="auth" name="Trying regular bind with bind_dn and password."
    2014:01:29-18:13:24 asg aua[24997]: id="3007" severity="debug" sys="System" sub="auth" name="ldapFilter: (&(objectClass=user)(objectcategory=Person)(sAMAccountName=mydomain\klaus))"
    2014:01:29-18:13:24 asg aua[24997]: id="3007" severity="debug" sys="System" sub="auth" name="do_auth_directory() directory authentication failed. No such user." 


    Same problem like basic auth.

    If I use FBA for OWA with the UPN klaus@domain.tld and password:
    2014:01:29-18:18:27 asg aua[25998]: id="3007" severity="debug" sys="System" sub="auth" name="Trying regular bind with bind_dn and password."
    2014:01:29-18:18:27 asg aua[25998]: id="3007" severity="debug" sys="System" sub="auth" name="ldapFilter: (&(objectClass=user)(objectcategory=Person)(sAMAccountName=klaus@domain.tld))"
    2014:01:29-18:18:27 asg aua[25998]: id="3007" severity="debug" sys="System" sub="auth" name="do_auth_directory() directory authentication failed. No such user." 


    Don't work. Wrong attribute is asked. The UPN is also used by most smartphones for autodiscover.
Unfiltered HTML