From 87be322460479a9b43e2837c9dbecbca6c734e3a Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Fri, 12 Apr 2024 10:20:47 -0600
Subject: [PATCH] docs: mention security tools that break mTLS with LDAP
 (#40503)

We have seen several cases of tools that terminate the mTLS connection
from Teleport and drop the client certificates, preventing Teleport
from making an authenticated LDAP connection.
---
 docs/cspell.json                              |  1 +
 docs/pages/desktop-access/troubleshooting.mdx | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/docs/cspell.json b/docs/cspell.json
index 4f417f89b562c..f53cc50fa9255 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -196,6 +196,7 @@
     "SVID",
     "SVIDs",
     "Shockbyte",
+    "Silverfort's",
     "Slackbot",
     "Sllavd",
     "Smartcard",
diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/desktop-access/troubleshooting.mdx
index deca747de8d15..bc12c9c0a9a89 100644
--- a/docs/pages/desktop-access/troubleshooting.mdx
+++ b/docs/pages/desktop-access/troubleshooting.mdx
@@ -81,7 +81,7 @@ If your group policy prevents the desktop from seeing this PIN, the user will
 remain at the login screen even though the smart card was detected.
 
 **Solution:** Ensure that group policy allows specifying credentials during
- RDP connection establishment.
+RDP connection establishment.
 
 Expand Computer Configuration, Administrative Templates, Windows Components,
 Remote Desktop Services, and Remote Desktop Session Host.
@@ -177,7 +177,7 @@ or
 connecting to LDAP server: unable to read LDAP response packet: read tcp 172.18.0.5:35970->;172.18.0.4:636: read: connection reset by peer
 ```
 
-**Solution:**  Enable LDAPS
+**Solution:** Enable LDAPS
 
 This means you do not have an LDAP certificate installed on your LDAP servers,
 or you are trying to make an insecure connection on port `389`. Teleport requires
@@ -239,6 +239,12 @@ in LDAP, you can force the desktop to sync with the following command:
 $ certutil -pulse
 ```
 
+If you have verified that the Teleport CA certificate is properly installed and
+are still seeing this error, check for any security tools or addons that may be
+interfering with the mTLS connection. Tools such as CrowdStrike's LDAP inspection
+or Silverfort's AD adapter are known to terminate TLS and drop the client certificate,
+which prevents Teleport from authenticating.
+
 ## Connection attempts fail
 
 ### RDP server only uses Standard RDP Security