Vault LDAP authentication starts failing after adding users to AD Protected Users Security Group

Introduction

Problem

After adding the Active Directory User specified as BINDDN for either the Vault LDAP Authentication Method or the Vault LDAP Secrets Engine to the Active Directory Protected Users Security Group, authentication for the Active Directory User specified as BINDDN starts to fail.
As a consequence of this authentication for all users using the affected Vault LDAP Authentication Method will fail. If the Active Directory User specified as BINDDN is not added to the Active Directory Protected Users Group, however the Authenticating Active Directory user is, authentication will fail for this user instead.

In case of the Vault LDAP Secrets Engine, managing dynamic and static credentials will start to fail.

The Vault Operational log contains the following entry in case of the Vault LDAP Authentication Method:

[DEBUG] auth.ldap.auth_ldap_db9ddb53: error getting user bind DN: error="ldap.(Client).Authenticate: discovery of user bind DN failed:
 ldap.(Client).getUserBindDN: bind (service) failed: LDAP Result Code 49 \"Invalid Credentials\": 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52f, v3839\x00"

Rotating a static credential using the LDAP Secrets Engine fails with:

write -f ldap/rotate-role/hashicorp
Error writing data to ldap/rotate-role/hashicorp: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ldap/rotate-role/hashicorp
Code: 500. Errors:

* 1 error occurred:
* unable to finish rotating credentials; retries will continue in the background but it is also safe to retry manually: failed to bind with current password: 1 error occurred:
* LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52f, v3839

Prerequisites:

• Vault Enterprise
• Vault LDAP Authentication Method
• Vault LDAP Secrets Engine
• Microsoft Active Directory

Cause

• Adding Active Directory Users to the Active Directory Protected Users group will disable NTLM authentication for the users in question.
  NTLM authentication is used internally by the Active Directory LDAP server to authenticate to Active Directory. 
  
  

Solutions:

• Currently the only known solution is not to add users to the Active Directory Protected Users Security Group. It is worth mentioning that the issue is not specific to Vault, as any LDAP authentication fails against Active Directory for users which have been added to the Active Directory Protected Users Security Group

Additional Information

• Microsoft Protected Users Security Group Learning Guide

• Vault LDAP secrets engine Documentation
• Vault LDAP auth method documentation