Configuration checklist for LastPass Universal Proxy using LDAP protocol on Windows

    Use this checklist to properly configure your VPN server, LastPass Universal Proxy, Active Directory and LastPass Authentication Server in order to work together for user authentication.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

    The Universal Proxy server mode is set to Both LastPass MFA and system password (SFA).

    In this configuration checklist we use the following test environment:

    Our simple authentication scenario

    1. The test user types in the credentials to the VPN client.
    2. First the Active Directory will authenticate the user.
    3. Then if it passes, the MFA push notification arrives to the user's phone.
    4. After accepting the push notification, the user will be authenticated.

    For a successful authentication on the VPN client side, both the Active Directory and the MFA authentication must be successful.

    Test domain and user configuration

    Test domain configured on Active Directory
    Test user username viktor
    sAMAccountName viktor
    Test admin user on Active Directory sAMAccountName testAdmin
    distinguishedName CN=testAdmin,CN=Users,DC=testproxy,DC=com
    Note: It is mandatory to have an Active Directory admin user who is set on the VPN server side. Prior to authenticating a user, VPN servers usually send more LDAP search requests. In order to do that, we need to tell the servers which is the account they can use for these purposes. This account is the test admin user.