Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade
From: Lee Flight (lef_at_le.ac.uk-nospam)
Date: 09/24/04
- Next message: Yared: "Re: ADAM hosting AD Users"
- Previous message: Daniel: "RE: ADMT computer migration error"
- In reply to: Jims: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Next in thread: notmyemail_at_hotmail.com: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Reply: notmyemail_at_hotmail.com: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Reply: Jims: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 24 Sep 2004 22:33:53 +0100
But SSL is required for a proxy bind by default, if you have not
changed that default then a simple bind on 389 is going to fail
in the fashion that you are seeing.
What happens if you try on the SSL port?
Lee Flight
"Jims" <biz@neocasa.net> wrote in message
news:OqAr40noEHA.2864@TK2MSFTNGP12.phx.gbl...
> I'm not using ssl to bind now - eliminating complexity to resolve this
> problem. I never configured to require ssl, i still allow both. Just
> using
> 389.
> thanks,
> jim
>
>
> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> news:ONDSvonoEHA.1300@TK2MSFTNGP12.phx.gbl...
>> Are you using SSL for the bind?
>>
>> Re-cap:
>>
>> ldp.exe
>>
>> Connect:
>> Server: <ADAM instance server>
>> Port:<ADAM SSL Port>
>> SSL check box <checked>
>>
>> (I'm assuming that you have not disabled the requirement for
>> Secure Proxy bind as you said you had SSL running?)
>>
>> username :CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>> password : <as for domain account>
>> Domain: <unchecked>
>>
>> That fails?
>>
>> Lee Flight
>>
>> "Jims" <biz@neocasa.net> wrote in message
>> news:enIbk7moEHA.1160@tk2msftngp13.phx.gbl...
>> > I've rebooted the the ADAM instance and server with no effect. I can't
>> > find
>> > any trace of the login attempts on the DCs. I do remember logon events
>> > showing up in the DC sec logs when I first started testing bind proxy
>> > several months ago, nothing now.
>> > Thanks,
>> > Jim
>> >
>> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
>> > news:ufErG1moEHA.2068@TK2MSFTNGP09.phx.gbl...
>> >> Jim
>> >>
>> >> has the member server that has the ADAM instance been restarted since
> the
>> >> DC upgrade?
>> >>
>> >> Do you audit logon failures on the DCs?
>> >>
>> >> Thanks
>> >> Lee Flight
>> >> "Jims" <biz@neocasa.net> wrote in message
>> >> news:u0pW3XloEHA.1160@tk2msftngp13.phx.gbl...
>> >> >I am able to log into the ADAM server interactively with
>> > TestDom\adamuser0
>> >> > domain account.
>> >> >
>> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
>> >> > message
>> >> > news:eGA%23p0koEHA.1588@TK2MSFTNGP09.phx.gbl...
>> >> >> Can you logon to ADAM machine as the test user (from AD)? This
>> >> >> requires
>> >> > two
>> >> >> things:
>> >> >> (a) the user in AD is valid
>> >> >> (b) the ADAM machine is a happy member of the AD domain.
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Dmitri Gavrilov
>> >> >> SDE, Active Directory Core
>> >> >>
>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> > rights.
>> >> >> Use of included script samples are subject to the terms specified
>> >> >> at
>> >> >> http://www.microsoft.com/info/cpyright.htm
>> >> >>
>> >> >> "Jims" <biz@neocasa.net> wrote in message
>> >> >> news:u6EBtYjoEHA.1300@TK2MSFTNGP12.phx.gbl...
>> >> >> > I checked the AD and ADAM SIDS of several accounts and they all
>> > match.
>> >> >> The
>> >> >> > AD accounts are enabled. I've included ldifs for a test account.
>> >> >> > Thanks,
>> >> >> > Jim
>> >> >> >
>> >> >>
>> >>
>>
>>>> ------------------------------------------------------------------------
> -
>> > -
>> >> >> --
>> >> >> > -------------
>> >> >> > ADAM ldif for cn=adamuser0
>> >> >>
>> >>
>>
>>>> ------------------------------------------------------------------------
> -
>> > -
>> >> >> --
>> >> >> > -------------
>> >> >> > dn: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>> >> >> > changetype: add
>> >> >> > sn: User0
>> >> >> > mail: ADAM.User0@childrens.harvard.edu
>> >> >> > employeeID: 999110
>> >> >> > givenName: ADAM
>> >> >> > objectClass: top
>> >> >> > objectClass: userProxy
>> >> >> > cn: adamuser0
>> >> >> > description: Test account for ADAM load testing. See Jim
>> >> >> > distinguishedName: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>> >> >> > instanceType: 4
>> >> >> > whenCreated: 20040923205501.0Z
>> >> >> > whenChanged: 20040923205501.0Z
>> >> >> > displayName: User0 ADAM
>> >> >> > uSNCreated: 165089
>> >> >> > memberOf: CN=Readers,CN=Roles,DC=CHBDir,DC=Org
>> >> >> > uSNChanged: 165089
>> >> >> > showInAdvancedViewOnly: TRUE
>> >> >> > name: adamuser0
>> >> >> > objectGUID:: Ao8zPFz7Jki83KNtIioTlg==
>> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
>> >> >> > objectCategory:
>> >> >> >
>> >> >> >
>> >> >>
>> >> >
>> >
> CN=User-Proxy,CN=Schema,CN=Configuration,CN={037EF044-62EC-46CF-BC6C-F83B492
>> >> >> > B5
>> >> >> > D6A}
>> >> >> >
>> >> >>
>> >>
>>
>>>> ------------------------------------------------------------------------
> -
>> > -
>> >> >> --
>> >> >> > ---------
>> >> >> > Active Directory ldif for cn=adamuser0
>> >> >>
>> >>
>>
>>>> ------------------------------------------------------------------------
> -
>> > -
>> >> >> --
>> >> >> > ---------
>> >> >> > dn: CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
>> >> >> > changetype: add
>> >> >> > objectClass: top
>> >> >> > objectClass: person
>> >> >> > objectClass: organizationalPerson
>> >> >> > objectClass: user
>> >> >> > cn: adamuser0
>> >> >> > sn: User0
>> >> >> > description: Test account for ADAM load testing. See Jim S.
>> >> >> > givenName: ADAM
>> >> >> > distinguishedName:
>> >> >> > CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
>> >> >> > instanceType: 4
>> >> >> > whenCreated: 20040922202306.0Z
>> >> >> > whenChanged: 20040923223103.0Z
>> >> >> > displayName: User0, ADAM
>> >> >> > uSNCreated: 29167521
>> >> >> > uSNChanged: 29291979
>> >> >> > department: ADAM Project
>> >> >> > mDBUseDefaults: TRUE
>> >> >> > mailNickname: adamuser0
>> >> >> > name: adamuser0
>> >> >> > objectGUID:: +egFGfcmZkag1A4SGvxaFg==
>> >> >> > userAccountControl: 512
>> >> >> > codePage: 0
>> >> >> > countryCode: 0
>> >> >> > pwdLastSet: 127404521926265493
>> >> >> > primaryGroupID: 513
>> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
>> >> >> > accountExpires: 9223372036854775807
>> >> >> > sAMAccountName: adamuser0
>> >> >> > sAMAccountType: 805306368
>> >> >> > userPrincipalName: adamuser0@TestDom.ORG
>> >> >> > objectCategory:
>> > CN=Person,CN=Schema,CN=Configuration,DC=TestDom,DC=ORG
>> >> >>
>> >>
>>
>>>> ------------------------------------------------------------------------
> -
>> > -
>> >> >> --
>> >> >> > ----------------------------
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
>> >> >> > message
>> >> >> > news:OJPe5LfoEHA.3460@tk2msftngp13.phx.gbl...
>> >> >> > > Please verify that the SIDs inside userProxies still point to
>> >> >> > > valid
>> >> > user
>> >> >> > > objects in AD. You can use LDP's utilities/map sids. If the
>> >> >> > > user
>> >> > exists,
>> >> >> > > check that it's not disabled or locked out or expired.
>> >> >> > >
>> >> >> > > --
>> >> >> > > Dmitri Gavrilov
>> >> >> > > SDE, Active Directory Core
>> >> >> > >
>> >> >> > > This posting is provided "AS IS" with no warranties, and
>> >> >> > > confers
>> >> >> > > no
>> >> >> > rights.
>> >> >> > > Use of included script samples are subject to the terms
> specified
>> > at
>> >> >> > > http://www.microsoft.com/info/cpyright.htm
>> >> >> > >
>> >> >> > > "Jims" <biz@neocasa.net> wrote in message
>> >> >> > > news:u$5FnKcoEHA.2636@TK2MSFTNGP09.phx.gbl...
>> >> >> > > We've have a working ADAM environment for several months using
>> >> >> > > MIIS
>> >> > sync
>> >> >> > > with AD and bindproxy accounts. We upgraded our W2K directory
> and
>> >> >> > > 4/5
>> >> >> DCs
>> >> >> > > this week. I can no longer authenticate to ADAM with AD user
>> >> > accounts.
>> >> >> > > This is a test ADAM server and I haven't tried to authenticate
> in
>> >> >> > > over
>> >> > a
>> >> >> > > week so I'm not sure of the AD domain significance but I
>> >> >> > > have'nt
>> > done
>> >> >> > > anything else to the ADAM server except configure SSL, which
>> >> >> > > works.
>> >> >> > > I
>> >> >> can
>> >> >> > > authenticate "user" accounts ok just not "bindproxy" accounts.
>> >> >> > > The
>> >> > ADAM
>> >> >> > > security event log logs the below event. I don't see anything
> in
>> > the
>> >> > DC
>> >> >> > > event logs.
>> >> >> > > Thanks,
>> >> >> > > Jim
>> >> >> > >
>> >> >> > > -----------------------------------------------------------
>> >> >> > >
>> >> >> > > Type: Failure Aud EventID: 680
>> >> >> > > Logon attempt by: ADAM_CHBADAM1
>> >> >> > >
>> >> >> > > Logon account: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>> >> >> > >
>> >> >> > > Source Workstation: -
>> >> >> > >
>> >> >> > > Error Code: 0xC000006D
>> >> >> > >
>> >> >> > >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Yared: "Re: ADAM hosting AD Users"
- Previous message: Daniel: "RE: ADMT computer migration error"
- In reply to: Jims: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Next in thread: notmyemail_at_hotmail.com: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Reply: notmyemail_at_hotmail.com: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Reply: Jims: "Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
