LDAP error codes

A few days ago, I had to troubleshoot strange authentication issues. The context was the following:

  • A Fortigate firewall offering SSL Vpn remote access;
  • This Vpn access configured using Active Directory authentication, which means that user has to authenticate using his AD username/password.

In this context, the Fortigate is itself configured to query Domain controllers using LDAPS, while authenticating itself to AD with a dedicated service user account.

The issue was that users would randomly be unable to log on, and the Vpn client would return a quite unclear error : “User is probably not configured correctly for this connection”.

So I enabled debugging on the Fortigate, and saw that the authentication daemon would itself return a quite unclear error:

INVALID_CREDENTIALS: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775

Wow, what could I do with that… ? Fortunately, some searching helped me, and I came across this excellent wiki page. So, error 775 meant “Account locked out”…

…But the user trying to logon was NOT locked out, at all ! Some more searching into the Domain controller event logs, and I realised that the locked out account was the service account performing the LDAPS query. Since that Active Directory was configured to lock out accounts for five minutes after five errors… It explained why the inability to logon was random.

Then the Domain controller logs showed me WHO was locking the account. It was another firewall in the same network, configured as well for LDAPS lookup, but somehow using a wrong password for the account. I corrected its configuration, and suddenly everything worked much better !

Powershell += Evil

Powershell makes it easy and convenient to add stuff into an array. This works well and is easy to write:

$SomeVariable = 'Here is some text'
$SomeVariable += 'And some more'

There is a catch however. When you do this, Powershell creates an array. And Powershell arrays are static. What if your array becomes big ? It can happen if you have some form of repetitive processing… Well… If your variables has 100 entries, and you add one, Powershell will basically :

  • Copy the 100-element array into a new 101-element array
  • Delete the old 100-element array

The result: Your code is running exponentially slower.

Because Powershell is based on .Net, an easy solution is, instead, to create an ArrayList. ArrayLists are dynamic structures, so adding elements to them is much faster. It would be something like this:

$SomeVariable = [System.Collections.ArrayList]@()
[void]$SomeVariable.Add('Here is some text')
[void]$SomeVariable.Add('And some more')

MUCH faster! I had a script that went down from 12 minutes to 22 seconds thanks to this simple change.

As a side note, the Add method will return the index of the added element. This is why I wanted to use [void], because otherwise, this index will get added to the Powershell pipeline. This is something you may want, but more often than not, it will just ruin your pipeline. So be careful with that !

Defeating crazy screensavers

Sometimes, you may have to work in environments so crazy about security that you have to unlock your computer every five minutes. Here is a tip to alleviate the burden, on Windows computers at least.

Save this very short Powershell script in a convenient place :

$MyShell = New-Object -ComObject 'WScript.Shell'
while ($true) {
    [void]$MyShell.SendKeys('{SCROLLLOCK}{SCROLLLOCK}')
    Start-Sleep -Seconds 120
    }

What it does is simply to simulate pressing twice the “scroll lock” key of your keyboard. Then sleep for two minutes. Then do it again.

Now, in any session where you need it, simply run the script, and leave it running. Verified under Citrix and Remote Desktop. Also, unlike some other available tools like “Caffeine”, it does not seem to send garbage keys into your Putty terminal emulator, if you use one.

For even easier use, you may want to convert it to an executable file, using the excellent Ps2exe tool.

Disclaimer:

Please make sure this complies with the security policy in use at your workplace !

Please *do* lock your own computer when leaving it ! It will make you feel less guilty.