Configuration checklist for LastPass Universal Proxy using LDAP protocol on Windows
Use this checklist to properly configure your VPN server, LastPass Universal Proxy, Active Directory and LastPass Authentication Server in order to work together for user authentication.
Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
The Universal Proxy server mode is set to Both LastPass MFA and system password (SFA).
In this configuration checklist we use the following test environment:
Our simple authentication scenario
- The test user types in the credentials to the VPN client.
- First the Active Directory will authenticate the user.
- Then if it passes, the MFA push notification arrives to the user's phone.
- After accepting the push notification, the user will be authenticated.
For a successful authentication on the VPN client side, both the Active Directory and the MFA authentication must be successful.
Test domain and user configuration
| Test domain configured on Active Directory | testproxy.com | |
| Test user | username | viktor |
| viktor@test.com | ||
| sAMAccountName | viktor | |
| userPrincipalName | viktor@test.com | |
| Test admin user on Active Directory | sAMAccountName | testAdmin |
| distinguishedName | CN=testAdmin,CN=Users,DC=testproxy,DC=com |
Note: It is mandatory to have an Active Directory admin user who is set on the VPN server side. Prior to authenticating a user, VPN servers usually send more LDAP search requests. In order to do that, we need to tell the servers which is the account they can use for these purposes. This account is the test admin user.