Re: Random logon failure with ADAM Bind Proxy

From: Seetha (seethaj_at_yahoo.com)
Date: 06/10/04

• Next message: Paul MacFarlane: "Re: ADC Connector won't"
• Previous message: Russell: "RE: Restoring what is the right way"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 10 Jun 2004 16:18:36 -0400

Thanks everyone for your suggestions.

Adding Authenticated Users SID to readers group (which was enough
granularity for our apps) made bind proxy authentication to go ahead.

As I had to add ~350K users to some other groups, using IADSgroup.Add as
suggested by KB article http://support.microsoft.com/?id=818031 fixed the
1000 limit of S.DS

I was mistaken about the username case sensitivity. I dont seem to have that
problem anymore.

Thanks,
Seetha.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:erkj3TqTEHA.1508@TK2MSFTNGP11.phx.gbl...
> Could he also just bind to RootDSE in order to force an authentication?
> That way, he doesn't need to worry about permssions as everyone can read
> RootDSE.
>
> Also, does it work to add Authenticated Users SID to the Readers role so
> that he doesn't need to add all his users individually?
>
> Joe K.
>
> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
> news:%23n7Zd1mTEHA.3596@tk2msftngp13.phx.gbl...
> > There was a similar problem discussed here a while ago, see "ADAM user
> > object limitations" thread. Are you adding new users to Readers group?
> This
> > is getting tricky when the group membership grows past 1500 members.
> > No_such_object usually means you could not read the object due to
> > insufficient permissions.
> >
> > Username should not be case sensitive. If you can verify that you can
bind
> > with CN=aaa,DC=com, but not with CN=AAA,DC=com, please let us know.
> >
> > --
> > Dmitri Gavrilov
> > SDE, Active Directory Core
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> > "Seetha" <seethaj@yahoo.com> wrote in message
> > news:uCdg3mmTEHA.2408@tk2msftngp13.phx.gbl...
> > I have an isolated test environment with two servers -AD domain
controller
> > and Windows 2003 server with ADAM on it. ADAM is used as a store for
user
> > profiles and AD stores just the username/password and is solely used for
> > authentication.
> >
> >
> > I have been using ADAM bind proxy to authenticate users against AD. I
> have
> > two questions relate to this setup.
> >
> >
> > a.ADAM bindproxy authentication was working fine. But suddenly this has
> been
> > creating random authentication errors with 'There is no object in the
> > server' during bind. The main problem is that authentication does not
fail
> > consistently , it fails for few minutes, if I come back and test after
an
> > hour it works, and fails after some time. The one thing that changed is
> that
> > we have been running a job that migrates ~350K users to AD and ADAM.
> >
> > If I authenticate directly against AD , authentication works
consistently.
> > Not sure if adding too many users (all added to Readers role
individually)
> > is having an effect on Bind proxy. Any ideas?
> >
> > Here is a code that I use to authenticate using ADAM bind proxy
>
> --------------------------------------------------------------------------
> --
> > -----------------
> > public bool adamAuthenticate(string username, string password)
> > {
> > userDN = "LDAP://" + m_adamServer+ "/" + "CN=" + username + "," +
> > this.m_adamUsersContainerPath;
> > userLoginName = "CN=" + username + ", " +
> > this.m_adamUsersContainerPath;
> >
> > entry = new DirectoryEntry( userDN, userLoginName, password,
> > AuthenticationTypes.None);
> > try
> > {
> > // Bind to the native AdsObject to force authentication.
> > Object obj = entry.NativeObject;
> > }
> > catch(System.Exception ex)
> > {}
> >
>
> --------------------------------------------------------------------------
> --
> > -----------------
> >
> > The following that authenticates against AD works
> >
>
> --------------------------------------------------------------------------
> --
> > -----------------
> >
> > public bool ADAuthenticate(string username, string password)
> > {
> > userDN = "LDAP://" + this.m_adServer+ "/" + "CN=" + username +
","
> +
> > this.m_adUsersContainerPath;
> > DirectoryEntry user = new DirectoryEntry(userDN,
> > this.m_adAdminUsername, this.m_adAdminPassword);
> >
> > try
> > {
> > // get the logon name from Active Directory
> > userLoginName = (String) user.Properties["samAccountName"].Value;
> >
> > // use the logon name and the password entered by user against
> active
> > directory to bind
> > DirectoryEntry entryAD = new DirectoryEntry( userDN,
userLoginName,
> > password, AuthenticationTypes.Secure|AuthenticationTypes.ServerBind);
> > Object obj = entryAD.NativeObject;
> > }
> > catch(Exception ex)
> > { }
> >
> >
> >
> > b. Through adamAuthenticate() , username seems to be case sensitive and
> the
> > auth fails if I dont pass in the username that does not match the CN
> exactly
> > with the case. Is there some setting that can be changed to avoid this?
> >
> > Thanks
> > Seetha
> >
> >
>
>

• Next message: Paul MacFarlane: "Re: ADC Connector won't"
• Previous message: Russell: "RE: Restoring what is the right way"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint