Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Jims (biz_at_neocasa.net)
Date: 09/24/04 

Date: Fri, 24 Sep 2004 17:26:55 -0400

I'm not using ssl to bind now - eliminating complexity to resolve this
problem. I never configured to require ssl, i still allow both. Just using
389.
thanks,
jim

"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:ONDSvonoEHA.1300@TK2MSFTNGP12.phx.gbl...
> Are you using SSL for the bind?
>
> Re-cap:
>
> ldp.exe
>
> Connect:
> Server: <ADAM instance server>
> Port:<ADAM SSL Port>
> SSL check box <checked>
>
> (I'm assuming that you have not disabled the requirement for
> Secure Proxy bind as you said you had SSL running?)
>
> username :CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> password : <as for domain account>
> Domain: <unchecked>
>
> That fails?
>
> Lee Flight
>
> "Jims" <biz@neocasa.net> wrote in message
> news:enIbk7moEHA.1160@tk2msftngp13.phx.gbl...
> > I've rebooted the the ADAM instance and server with no effect. I can't
> > find
> > any trace of the login attempts on the DCs. I do remember logon events
> > showing up in the DC sec logs when I first started testing bind proxy
> > several months ago, nothing now.
> > Thanks,
> > Jim
> >
> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> > news:ufErG1moEHA.2068@TK2MSFTNGP09.phx.gbl...
> >> Jim
> >>
> >> has the member server that has the ADAM instance been restarted since
the
> >> DC upgrade?
> >>
> >> Do you audit logon failures on the DCs?
> >>
> >> Thanks
> >> Lee Flight
> >> "Jims" <biz@neocasa.net> wrote in message
> >> news:u0pW3XloEHA.1160@tk2msftngp13.phx.gbl...
> >> >I am able to log into the ADAM server interactively with
> > TestDom\adamuser0
> >> > domain account.
> >> >
> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
> >> > message
> >> > news:eGA%23p0koEHA.1588@TK2MSFTNGP09.phx.gbl...
> >> >> Can you logon to ADAM machine as the test user (from AD)? This
> >> >> requires
> >> > two
> >> >> things:
> >> >> (a) the user in AD is valid
> >> >> (b) the ADAM machine is a happy member of the AD domain.
> >> >>
> >> >>
> >> >> --
> >> >> Dmitri Gavrilov
> >> >> SDE, Active Directory Core
> >> >>
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >> Use of included script samples are subject to the terms specified at
> >> >> http://www.microsoft.com/info/cpyright.htm
> >> >>
> >> >> "Jims" <biz@neocasa.net> wrote in message
> >> >> news:u6EBtYjoEHA.1300@TK2MSFTNGP12.phx.gbl...
> >> >> > I checked the AD and ADAM SIDS of several accounts and they all
> > match.
> >> >> The
> >> >> > AD accounts are enabled. I've included ldifs for a test account.
> >> >> > Thanks,
> >> >> > Jim
> >> >> >
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> >> --
> >> >> > -------------
> >> >> > ADAM ldif for cn=adamuser0
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> >> --
> >> >> > -------------
> >> >> > dn: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> >> >> > changetype: add
> >> >> > sn: User0
> >> >> > mail: ADAM.User0@childrens.harvard.edu
> >> >> > employeeID: 999110
> >> >> > givenName: ADAM
> >> >> > objectClass: top
> >> >> > objectClass: userProxy
> >> >> > cn: adamuser0
> >> >> > description: Test account for ADAM load testing. See Jim
> >> >> > distinguishedName: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> >> >> > instanceType: 4
> >> >> > whenCreated: 20040923205501.0Z
> >> >> > whenChanged: 20040923205501.0Z
> >> >> > displayName: User0 ADAM
> >> >> > uSNCreated: 165089
> >> >> > memberOf: CN=Readers,CN=Roles,DC=CHBDir,DC=Org
> >> >> > uSNChanged: 165089
> >> >> > showInAdvancedViewOnly: TRUE
> >> >> > name: adamuser0
> >> >> > objectGUID:: Ao8zPFz7Jki83KNtIioTlg==
> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
> >> >> > objectCategory:
> >> >> >
> >> >> >
> >> >>
> >> >
> >
CN=User-Proxy,CN=Schema,CN=Configuration,CN={037EF044-62EC-46CF-BC6C-F83B492
> >> >> > B5
> >> >> > D6A}
> >> >> >
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> >> --
> >> >> > ---------
> >> >> > Active Directory ldif for cn=adamuser0
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> >> --
> >> >> > ---------
> >> >> > dn: CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
> >> >> > changetype: add
> >> >> > objectClass: top
> >> >> > objectClass: person
> >> >> > objectClass: organizationalPerson
> >> >> > objectClass: user
> >> >> > cn: adamuser0
> >> >> > sn: User0
> >> >> > description: Test account for ADAM load testing. See Jim S.
> >> >> > givenName: ADAM
> >> >> > distinguishedName:
> >> >> > CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
> >> >> > instanceType: 4
> >> >> > whenCreated: 20040922202306.0Z
> >> >> > whenChanged: 20040923223103.0Z
> >> >> > displayName: User0, ADAM
> >> >> > uSNCreated: 29167521
> >> >> > uSNChanged: 29291979
> >> >> > department: ADAM Project
> >> >> > mDBUseDefaults: TRUE
> >> >> > mailNickname: adamuser0
> >> >> > name: adamuser0
> >> >> > objectGUID:: +egFGfcmZkag1A4SGvxaFg==
> >> >> > userAccountControl: 512
> >> >> > codePage: 0
> >> >> > countryCode: 0
> >> >> > pwdLastSet: 127404521926265493
> >> >> > primaryGroupID: 513
> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
> >> >> > accountExpires: 9223372036854775807
> >> >> > sAMAccountName: adamuser0
> >> >> > sAMAccountType: 805306368
> >> >> > userPrincipalName: adamuser0@TestDom.ORG
> >> >> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=TestDom,DC=ORG
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> >> --
> >> >> > ----------------------------
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
> >> >> > message
> >> >> > news:OJPe5LfoEHA.3460@tk2msftngp13.phx.gbl...
> >> >> > > Please verify that the SIDs inside userProxies still point to
> >> >> > > valid
> >> > user
> >> >> > > objects in AD. You can use LDP's utilities/map sids. If the user
> >> > exists,
> >> >> > > check that it's not disabled or locked out or expired.
> >> >> > >
> >> >> > > --
> >> >> > > Dmitri Gavrilov
> >> >> > > SDE, Active Directory Core
> >> >> > >
> >> >> > > This posting is provided "AS IS" with no warranties, and confers
> >> >> > > no
> >> >> > rights.
> >> >> > > Use of included script samples are subject to the terms
specified
> > at
> >> >> > > http://www.microsoft.com/info/cpyright.htm
> >> >> > >
> >> >> > > "Jims" <biz@neocasa.net> wrote in message
> >> >> > > news:u$5FnKcoEHA.2636@TK2MSFTNGP09.phx.gbl...
> >> >> > > We've have a working ADAM environment for several months using
> >> >> > > MIIS
> >> > sync
> >> >> > > with AD and bindproxy accounts. We upgraded our W2K directory
and
> >> >> > > 4/5
> >> >> DCs
> >> >> > > this week. I can no longer authenticate to ADAM with AD user
> >> > accounts.
> >> >> > > This is a test ADAM server and I haven't tried to authenticate
in
> >> >> > > over
> >> > a
> >> >> > > week so I'm not sure of the AD domain significance but I have'nt
> > done
> >> >> > > anything else to the ADAM server except configure SSL, which
> >> >> > > works.
> >> >> > > I
> >> >> can
> >> >> > > authenticate "user" accounts ok just not "bindproxy" accounts.
> >> >> > > The
> >> > ADAM
> >> >> > > security event log logs the below event. I don't see anything
in
> > the
> >> > DC
> >> >> > > event logs.
> >> >> > > Thanks,
> >> >> > > Jim
> >> >> > >
> >> >> > > -----------------------------------------------------------
> >> >> > >
> >> >> > > Type: Failure Aud EventID: 680
> >> >> > > Logon attempt by: ADAM_CHBADAM1
> >> >> > >
> >> >> > > Logon account: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
> >> >> > >
> >> >> > > Source Workstation: -
> >> >> > >
> >> >> > > Error Code: 0xC000006D
> >> >> > >
> >> >> > >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: LDAP Binding - solved
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Hooking the SSL bind Cert event and returning true solved that. ... username and empty string password. ...
    (microsoft.public.dotnet.security)
  • Re: Authenticating users using asp.net/vb.net against iPlanet LDAP
    ... I meant to try doing the bind using SSL with a known good username and ... > When you mentioned 'bind with the dir with any username and pws using SSL' ... >>> Dim oSRAll As DirectoryServices.SearchResultCollection ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authenticating users using asp.net/vb.net against iPlanet LDAP
    ... When you mentioned 'bind with the dir with any username and pws using SSL' ... >> This system is hosted on a Win2K server. ... >> Dim oSRAll As DirectoryServices.SearchResultCollection ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADAM gives the users from an Active Directory
    ... Note that setting up SSL when doing simple bind is generally a really good ... especially if you have any trust issues on the network between the app ... That is actually why that setting exists in ADAM. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Left tilt vs. right tilt table saw
    ... Jim wrote: ... than the tendency to bind being eliminated on a left tilt, ... Why should it bind? ... Just move the fence to the other side - or is there a reason to prefer ...
    (rec.woodworking)