Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade

notmyemail_at_hotmail.com
Date: 09/26/04 

Date: Sun, 26 Sep 2004 12:31:32 -0400

Jim,
I have not tested this, but here is something that I saw on an ASP
support forum.

http://forums.aspfree.com/t23751/s.html

It turns out that windows 2003 domains handle "double hop"
authentication differently than windows 2000 domain controllers. here
is how you fix the problem:

- Open up Active Directory Users and Computers on a domain controller
- Find the computer that has the IIS server that is running the app
- Double-click the computer name to open it up, and check the box that
says "Trust Computer for delegation"
- Wait for replication or force it
- Reboot that server

Depending on how the app is written, that may be all you need.
However, you may need to also enable delegation for the user accounts
that access it. So if this doesn't work, do the following:

- locate your user account in AD Users and Computers, and double click
it
- Click the "account" tab
- Under the "account options" section, scrool down and check "account
is trusted for delgation"
- Wait for replication or force it
- Log off of any computers you are logged into, then login and try it
again.

Let us know if this solves the problem that you are experiencing.
PMeyer

On Fri, 24 Sep 2004 22:33:53 +0100, "Lee Flight" <lef@le.ac.uk-nospam>
wrote:

>But SSL is required for a proxy bind by default, if you have not
>changed that default then a simple bind on 389 is going to fail
>in the fashion that you are seeing.
>
>What happens if you try on the SSL port?
>
>Lee Flight
>
>"Jims" <biz@neocasa.net> wrote in message
>news:OqAr40noEHA.2864@TK2MSFTNGP12.phx.gbl...
>> I'm not using ssl to bind now - eliminating complexity to resolve this
>> problem. I never configured to require ssl, i still allow both. Just
>> using
>> 389.
>> thanks,
>> jim
>>
>>
>> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
>> news:ONDSvonoEHA.1300@TK2MSFTNGP12.phx.gbl...
>>> Are you using SSL for the bind?
>>>
>>> Re-cap:
>>>
>>> ldp.exe
>>>
>>> Connect:
>>> Server: <ADAM instance server>
>>> Port:<ADAM SSL Port>
>>> SSL check box <checked>
>>>
>>> (I'm assuming that you have not disabled the requirement for
>>> Secure Proxy bind as you said you had SSL running?)
>>>
>>> username :CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>>> password : <as for domain account>
>>> Domain: <unchecked>
>>>
>>> That fails?
>>>
>>> Lee Flight
>>>
>>> "Jims" <biz@neocasa.net> wrote in message
>>> news:enIbk7moEHA.1160@tk2msftngp13.phx.gbl...
>>> > I've rebooted the the ADAM instance and server with no effect. I can't
>>> > find
>>> > any trace of the login attempts on the DCs. I do remember logon events
>>> > showing up in the DC sec logs when I first started testing bind proxy
>>> > several months ago, nothing now.
>>> > Thanks,
>>> > Jim
>>> >
>>> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
>>> > news:ufErG1moEHA.2068@TK2MSFTNGP09.phx.gbl...
>>> >> Jim
>>> >>
>>> >> has the member server that has the ADAM instance been restarted since
>> the
>>> >> DC upgrade?
>>> >>
>>> >> Do you audit logon failures on the DCs?
>>> >>
>>> >> Thanks
>>> >> Lee Flight
>>> >> "Jims" <biz@neocasa.net> wrote in message
>>> >> news:u0pW3XloEHA.1160@tk2msftngp13.phx.gbl...
>>> >> >I am able to log into the ADAM server interactively with
>>> > TestDom\adamuser0
>>> >> > domain account.
>>> >> >
>>> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
>>> >> > message
>>> >> > news:eGA%23p0koEHA.1588@TK2MSFTNGP09.phx.gbl...
>>> >> >> Can you logon to ADAM machine as the test user (from AD)? This
>>> >> >> requires
>>> >> > two
>>> >> >> things:
>>> >> >> (a) the user in AD is valid
>>> >> >> (b) the ADAM machine is a happy member of the AD domain.
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Dmitri Gavrilov
>>> >> >> SDE, Active Directory Core
>>> >> >>
>>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>>> >> > rights.
>>> >> >> Use of included script samples are subject to the terms specified
>>> >> >> at
>>> >> >> http://www.microsoft.com/info/cpyright.htm
>>> >> >>
>>> >> >> "Jims" <biz@neocasa.net> wrote in message
>>> >> >> news:u6EBtYjoEHA.1300@TK2MSFTNGP12.phx.gbl...
>>> >> >> > I checked the AD and ADAM SIDS of several accounts and they all
>>> > match.
>>> >> >> The
>>> >> >> > AD accounts are enabled. I've included ldifs for a test account.
>>> >> >> > Thanks,
>>> >> >> > Jim
>>> >> >> >
>>> >> >>
>>> >>
>>>
>>>>> ------------------------------------------------------------------------
>> -
>>> > -
>>> >> >> --
>>> >> >> > -------------
>>> >> >> > ADAM ldif for cn=adamuser0
>>> >> >>
>>> >>
>>>
>>>>> ------------------------------------------------------------------------
>> -
>>> > -
>>> >> >> --
>>> >> >> > -------------
>>> >> >> > dn: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>>> >> >> > changetype: add
>>> >> >> > sn: User0
>>> >> >> > mail: ADAM.User0@childrens.harvard.edu
>>> >> >> > employeeID: 999110
>>> >> >> > givenName: ADAM
>>> >> >> > objectClass: top
>>> >> >> > objectClass: userProxy
>>> >> >> > cn: adamuser0
>>> >> >> > description: Test account for ADAM load testing. See Jim
>>> >> >> > distinguishedName: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>>> >> >> > instanceType: 4
>>> >> >> > whenCreated: 20040923205501.0Z
>>> >> >> > whenChanged: 20040923205501.0Z
>>> >> >> > displayName: User0 ADAM
>>> >> >> > uSNCreated: 165089
>>> >> >> > memberOf: CN=Readers,CN=Roles,DC=CHBDir,DC=Org
>>> >> >> > uSNChanged: 165089
>>> >> >> > showInAdvancedViewOnly: TRUE
>>> >> >> > name: adamuser0
>>> >> >> > objectGUID:: Ao8zPFz7Jki83KNtIioTlg==
>>> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
>>> >> >> > objectCategory:
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >
>>> >
>> CN=User-Proxy,CN=Schema,CN=Configuration,CN={037EF044-62EC-46CF-BC6C-F83B492
>>> >> >> > B5
>>> >> >> > D6A}
>>> >> >> >
>>> >> >>
>>> >>
>>>
>>>>> ------------------------------------------------------------------------
>> -
>>> > -
>>> >> >> --
>>> >> >> > ---------
>>> >> >> > Active Directory ldif for cn=adamuser0
>>> >> >>
>>> >>
>>>
>>>>> ------------------------------------------------------------------------
>> -
>>> > -
>>> >> >> --
>>> >> >> > ---------
>>> >> >> > dn: CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
>>> >> >> > changetype: add
>>> >> >> > objectClass: top
>>> >> >> > objectClass: person
>>> >> >> > objectClass: organizationalPerson
>>> >> >> > objectClass: user
>>> >> >> > cn: adamuser0
>>> >> >> > sn: User0
>>> >> >> > description: Test account for ADAM load testing. See Jim S.
>>> >> >> > givenName: ADAM
>>> >> >> > distinguishedName:
>>> >> >> > CN=adamuser0,OU=TestDomUsers,OU=Users,DC=TestDom,DC=ORG
>>> >> >> > instanceType: 4
>>> >> >> > whenCreated: 20040922202306.0Z
>>> >> >> > whenChanged: 20040923223103.0Z
>>> >> >> > displayName: User0, ADAM
>>> >> >> > uSNCreated: 29167521
>>> >> >> > uSNChanged: 29291979
>>> >> >> > department: ADAM Project
>>> >> >> > mDBUseDefaults: TRUE
>>> >> >> > mailNickname: adamuser0
>>> >> >> > name: adamuser0
>>> >> >> > objectGUID:: +egFGfcmZkag1A4SGvxaFg==
>>> >> >> > userAccountControl: 512
>>> >> >> > codePage: 0
>>> >> >> > countryCode: 0
>>> >> >> > pwdLastSet: 127404521926265493
>>> >> >> > primaryGroupID: 513
>>> >> >> > objectSid:: AQUAAAAAAAUVAAAA2+sMUHKPtAojX2Nrf4kAAA==
>>> >> >> > accountExpires: 9223372036854775807
>>> >> >> > sAMAccountName: adamuser0
>>> >> >> > sAMAccountType: 805306368
>>> >> >> > userPrincipalName: adamuser0@TestDom.ORG
>>> >> >> > objectCategory:
>>> > CN=Person,CN=Schema,CN=Configuration,DC=TestDom,DC=ORG
>>> >> >>
>>> >>
>>>
>>>>> ------------------------------------------------------------------------
>> -
>>> > -
>>> >> >> --
>>> >> >> > ----------------------------
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
>>> >> >> > message
>>> >> >> > news:OJPe5LfoEHA.3460@tk2msftngp13.phx.gbl...
>>> >> >> > > Please verify that the SIDs inside userProxies still point to
>>> >> >> > > valid
>>> >> > user
>>> >> >> > > objects in AD. You can use LDP's utilities/map sids. If the
>>> >> >> > > user
>>> >> > exists,
>>> >> >> > > check that it's not disabled or locked out or expired.
>>> >> >> > >
>>> >> >> > > --
>>> >> >> > > Dmitri Gavrilov
>>> >> >> > > SDE, Active Directory Core
>>> >> >> > >
>>> >> >> > > This posting is provided "AS IS" with no warranties, and
>>> >> >> > > confers
>>> >> >> > > no
>>> >> >> > rights.
>>> >> >> > > Use of included script samples are subject to the terms
>> specified
>>> > at
>>> >> >> > > http://www.microsoft.com/info/cpyright.htm
>>> >> >> > >
>>> >> >> > > "Jims" <biz@neocasa.net> wrote in message
>>> >> >> > > news:u$5FnKcoEHA.2636@TK2MSFTNGP09.phx.gbl...
>>> >> >> > > We've have a working ADAM environment for several months using
>>> >> >> > > MIIS
>>> >> > sync
>>> >> >> > > with AD and bindproxy accounts. We upgraded our W2K directory
>> and
>>> >> >> > > 4/5
>>> >> >> DCs
>>> >> >> > > this week. I can no longer authenticate to ADAM with AD user
>>> >> > accounts.
>>> >> >> > > This is a test ADAM server and I haven't tried to authenticate
>> in
>>> >> >> > > over
>>> >> > a
>>> >> >> > > week so I'm not sure of the AD domain significance but I
>>> >> >> > > have'nt
>>> > done
>>> >> >> > > anything else to the ADAM server except configure SSL, which
>>> >> >> > > works.
>>> >> >> > > I
>>> >> >> can
>>> >> >> > > authenticate "user" accounts ok just not "bindproxy" accounts.
>>> >> >> > > The
>>> >> > ADAM
>>> >> >> > > security event log logs the below event. I don't see anything
>> in
>>> > the
>>> >> > DC
>>> >> >> > > event logs.
>>> >> >> > > Thanks,
>>> >> >> > > Jim
>>> >> >> > >
>>> >> >> > > -----------------------------------------------------------
>>> >> >> > >
>>> >> >> > > Type: Failure Aud EventID: 680
>>> >> >> > > Logon attempt by: ADAM_CHBADAM1
>>> >> >> > >
>>> >> >> > > Logon account: CN=adamuser0,OU=Users,DC=CHBDir,DC=Org
>>> >> >> > >
>>> >> >> > > Source Workstation: -
>>> >> >> > >
>>> >> >> > > Error Code: 0xC000006D
>>> >> >> > >
>>> >> >> > >
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >
>>> >
>>>
>>>
>>
>>
>

Relevant Pages

  • Re: Network access from Win XP
    ... On the Mac, set up Windows sharing. ... run the Network Setup Wizard. ... not need to be logged into the same account on all machines and the ... If one or more of the computers is XP Pro or Media Center: ...
    (microsoft.public.macintosh.general)
  • Re: Secure Logon and Windows Help Instructions
    ... Windows XP HELP indicates that Secure Logon can be turned on and off by ... the ADVANCED tab in User Accounts. ... and the computer can't be configured to log on an account automatically. ... I notice that I have an "Administrator" account ...
    (microsoft.public.windowsxp.basics)
  • RE: error sending fax to multiple recipients
    ... The problem is on all computers and on the sever, ... account and Printer Spooler service is using Local System account. ... let us try to install the hotfix for windows xp. ... 1.Can you provide a listing of the files in the fax queue directory on SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting up Outlook Express on New Win XP Pro Machine
    ... My old computer has Windows 98se. ... > up four user accounts on the XP machine. ... > up the Outlook Express email account because I have ... > individual sets of folders. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Win 98 to Win XP connection problem
    ... and deselect the "Account is diabled" checkbox. ... "I have home network with 3 computers connected to LinkSys router: ... Windows XP professional and one Windows 98 SE. ... Enabling the Guest account in Control Panel will be of no use. ...
    (microsoft.public.windowsxp.network_web)