Introduction
The Umbrella AD Connector software retrieves details of User, Computer, and Group information from your AD Domain Controller using LDAP. Only the necessary attributes are stored from each object, this include sAMAccountName, dn, userPrincipalName, memberOf, objectGUID, primaryGroupId (for users and computers) and primaryGroupToken (for groups).
This data is then uploaded to Umbrella for use in Policy Configuration and Reporting. This data is also required for per-user or per-computer filtering. Note: objectGUID is sent in hashed form.
To find out exactly what is being synced, you can look at the .ldif files contained within:
C:\Program Files\OpenDNS\OpenDNS Connector\ADSync\*.ldif
This article describes how this data transfer is encrypted.
Encryption for AD Data Upload
The Umbrella AD Connector uploads the AD information to Umbrella using a secure HTTPS connection. The upload between the Connector <> Umbrella cloud is always encrypted.
Encryption for AD Data Retrieval
As of v1.1.22 the Connector now attempts to retrieve user details with encryption between Domain Controller <> Connector. Two methods are attempted:
- LDAPS*. Data is transmitted over a secure tunnel.
- LDAP with Kerberos authentication. Provides packet-level encryption.
Note:
LDAPS is not used when the Connector software is running on the same server as the Domain Controller used for ADsync.
If the above attempts fails for any reason it will revert to this mechanism:
- LDAP with NTLM authentication. This provides secure authentication but the data transfer between the DC > Connector happens without encryption.
To ensure that encryption is possible we would recommend the following:
- Enable LDAPS on your Domain Controller(s). This is beyond the scope of Umbrella support, but can be enabled following Microsoft’s documentation
- Ensure that the hostname of your Domain Controller(s) is correctly configured in ‘Deployments > Sites and AD’. The correct hostname is required for both encryption methods. If the hostname is incorrect for any reason we recommend to re-register the Domain Controller using our configuration script, or contact Umbrella support.
To confirm encryption is happening. You can check the log file here:
C:\Program Files (x86)\OpenDNS\OpenDNS Connector\<VERSION>\OpenDNSAuditClient.log.
During AD sync you will see log entries such as the following:
LDAPS connection successful:
Using SSL for <SERVER> communication to fetch the DN.
Kerberos authentication successful:
Using Kerberos for <SERVER> communication to fetch the DN.
NTLM failback mechanism in use:
Kerberos failed for DC Host <SERVER>. The hostname may be invalid. Falling back to NTLM query.
Comments
1 comment
Hi Tom Allen,
In your article, you have mentioned "This data is then uploaded to Umbrella for use in Policy Configuration and Reporting. This data is also required for per-user or per-computer filtering. Note: objectGUID is sent in hashed form.". So my question is: which mechanism is used to hash the objectGUID? Is it md5? I have tried to use md5 to hash the objectGUID, but it does not generate the has same as the one in UserStruct.ldif, below is info in UserStruct.ldif and objectGUID. Could you please help to advise me? Thanks in advance.
UserStruct.ldif
dn: CN=BC59,CN=Users,DC=bcp,DC=eidp,DC=com
changetype: add
primaryGroupID: 513
sAMAccountName: bc59
Hash: 2dc9da7909f458c768d5a236076966a0
userPrincipalName: bc59@bcp.eidp.com
objectGUID
36a99e7c-12ce-4295-914c-2ba1f325706e
Extracted by using command: Get-ADObject -Identity "CN=bc59,CN=Users,DC=bcp,DC=eidp,DC=com" | Select-Object -Property ObjectGUID
Thanks
Please sign in to leave a comment.