Proxmox Active Directory AcceptSecurityContext Error

Question

Overview

I'm trying to get Proxmox to perform user authentication via LDAP with a Windows Server 2016 ADDS server. Proxmox is convinced that my credentials are incorrect.

Environment

• Proxmox 6.3-1, PVE 6.3-6

• Windows Server 2019 Datacenter 1809, b17763.1823

• The Proxmox server and Domain Controller are on the same network (the DC is a guest on the Proxmox instance).

• The DC's root certificate has been added to the Proxmox server's store.

• Proxmox's realm binding is set up with a dedicated standard user account in the OU OU=Service Users,DC=subdomain,DC=domain,DC=tld.

• I have an administrative account in the standard CN=Users,DC=subdomain,DC=domain,DC=tld.

• Proxmox's realm binding is as follows via the GUI:

  General
  ---
  Domain: DC=subdomain,DC=domain,DC=tld
  Default: True
  Server: dc.subdomain.domain.tld
  Fallback Server: Unused
  Port: Default
  SSL: True
  Verify Certificate: True
  Require TFA: None
  
  Sync Options
  ---
  Bind User: CN=ServiceAccount,OU=Service Users,DC=subdomain,DC=domain,DC=tld
  E-Mail Attribute: mail
  Groupname Attr.: sAMAccountName
  User Classes: user
  Group Classes: group
  User Filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=InfrastructureAdmins,CN=Users,DC=subdomain,DC=domain,DC=tld))
  Group Filter: (sAMAccountName=InfrastructureAdmins)
  

What's Happening

• Proxmox's login page gives the error message "Login failed. Please try again".
• Proxmox's syslog shows the line entry hostname pvedaemon[pid]: authentication failure; rhost=10.9.0.50 user=username@realm msg=80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563.
  • The error code 52e suggests that the password is incorrect.
• I'm not seeing any entries for ServiceAccount or username in the DC's security event log when the login fails.

What I've Tried

• I've verified that Proxmox can communicate with the DC; when the realm is synced, it successfully pulls groups and users from the domain.
• I've verified that the binding user ServiceAccount can log in to a domain-joined computer.
• I've verified that the account I'm testing with (my admin account) can log in to domain-joined computers; it's the account I'm logged into the DC with.
  • I've also created a test account with no additional settings, just the proper group membership, and attempted to use it to log into Proxmox.
• I've tried simplifying the passwords for both my user account and the binding account down to P4$$w0rd.
• LDAP works for other systems with a similar binding account.

Any guidance or suggestions would be greatly appreciated.

Answer 1

I can't be sure you and I have the same problem, but I solved the same symptoms by:

• Ensure the 'domain' in the LDAP settings is the actual AD domain name (eg. ad.example.com). Proxmox will append this to a user name in order to log on, so the LDAP server will reject you if you've got it wrong.
• Ensure the user or group logging on has a Role assigned to them. You can do this by going to Datacentre->Permissions (the "title", not the things inside the pull-down!) and add a Group Permission (in my case, I used the LDAP group I'd created called ProxmoxAdmins and assigned it the Administrator role)

Things I've noticed are that the log messages don't tell you the cause of the problem at all. I've also noticed that LDAP groups cannot have spaces in them (eg. Proxmox Admins doesn't work, ProxmoxAdmins does). You can see this if you do a "sync preview" in the LDAP settings). And lastly, just because "sync" works, doesn't mean users will - it only tests the Bind credentials (a useful check, but not everything!).