Authentication using LDAP / AD stopped working

[Carlos Gomes]

Hello Everyone

Our proxmox hosts stopped authenticating using AD credentials, that we use regularly.

Only difference from the environment was an update on the windows 2016 server with kb4601092

When trying to login using AD credentials, syslog prompts immediately:
pvedaemon[3067869]: authentication failure; rhost=::ffff:192.168.x.x user=user@DOMAIN msg=Connection reset by peer

one important information is that sometimes this msg= comes empty

Tests made with no success:
- rebooting the windows server VM
- double check on windows and physical firewall rules
- check on time skew between proxmox x ad, even with correct times from same ntp server
- manipulating downgrade from tls version as suggested here - https://forum.proxmox.com/threads/after-upgrade-to-pve-6-0-dont-work-ad-auth-with-ssl.57033/
- restarting pvedaemon services


proxmox is on 7.0-13, ad is windows 2016

Any information or test suggestions appreciated

 

[Stanislav Kibardin]

Does anyone solved the problem? When connecting to AD have the same problem. let me know where to look???
pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.60-2-pve)
pve-manager: 7.2-11 (running version: 7.2-11/b76d3178)
pve-kernel-helper: 7.2-13
pve-kernel-5.15: 7.2-12
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.60-2-pve: 5.15.60-2
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-3
libpve-guest-common-perl: 4.1-3
libpve-http-server-perl: 4.1-4
libpve-storage-perl: 7.2-10
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.2.7-1
proxmox-backup-file-restore: 2.2.7-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-6
pve-firmware: 3.5-4
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.6-pve1

 

[Stanislav Kibardin]

Solved. I had a problem with the ssl certificate on DC.

 

[larsen]

Same problem here.

@stanislav: Could you please explain what your exact problem with the ssl cert was?
How did you check this?
How did you fix it?

 

[Stanislav Kibardin]

@larsen
In my case the problem was that Certification Authority service was not configured in my domain and my DCs had no certificates.
You can check it:
openssl s_client -connect <yourdc:636>

 

[larsen]

Thanks a lot!

This showed "no peer certificate available" which lead me to the solution:
As the once existing cert somehow got lost, I recreated it and imported it into the "NTDS\Personal" certificate store. Worked instantly, no restart needed.