Re: ADAM userProxy and ChangePassword

From: Lee Flight (lef_at_le.ac.uk-nospam)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 20:27:51 +0100

Thanks, that looks like the AcceptSecurityContext error format that I have
seen
ldp.exe drop when binding to ADAM. I think Dmitri Gavrilov was going to
check up on this as it got raised in another thread this week.

Are you using the Microsoft LDAP client libraries?

Thanks again
Lee Flight

"Darwin Ten Haken" <darwin.tenhaken@iowa.gov-NOSPAM> wrote in message
news:1AC4B413-DE18-4657-BF14-CB2072FAD91F@microsoft.com...
> In working with my programmer we determined that upon doing an LDAP simple
> bind for a user who was flagged "Must Change Password at Next Logon" that
> he
> got the following error message reported back to him:
>
> detailMessage= "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F,
> comment: AcceptSecurityContext error, data 773, vece
>
> If we take the data 773 and convert 773 from HEX to Decimal we get error
> 1907 which can then be looked up at the following link:
>
> http://doc.ddart.net/msdn/header/include/winerror.h.html
>
> Error 1907 translates to:
>
> //
> // MessageId: ERROR_PASSWORD_MUST_CHANGE
> //
> // MessageText:
> //
> // The user must change his password before he logs on the first time.
> //
> #define ERROR_PASSWORD_MUST_CHANGE 1907L
> ----------------------------------------
>
> We have also deteremined that data 532 translates to 1330 which is what
> we
> get when a password expires:
>
> //
> // MessageId: ERROR_PASSWORD_EXPIRED
> //
> // MessageText:
> //
> // Logon failure: the specified account password has expired.
> //
> #define ERROR_PASSWORD_EXPIRED 1330L
>
>
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Yes, can you show the code you are using to get the detailed information
>> back regarding bind errors with LDAP? I'd like to see how you are
>> getting
>> that information.
>>
>> Thanks!
>>
>> Joe K.
>>
>> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
>> news:OjEwaYkpEHA.3868@TK2MSFTNGP15.phx.gbl...
>> >I think the issue here is that when you bind to a userProxy in ADAM
>> > you are doing a proxy login to AD. It appears to be a technique
>> > hard-coded
>> > into the ADAM LDAP interface whereby it picks up your ms-BindProxy
>> > DN and finds the associated SID and then calls into AD using a SASL
>> > bind.
>> >
>> > For native ADAM users the situation is different as the user account
>> > control
>> > attributes that govern these behaviours exist on the user object, for
>> > user
>> > proxies they exist only in AD so cannot be controlled in ADAM. I'm not
>> > sure how any detailed error code on the back-end Windows authentication
>> > could be translated across transport to provide a message that the LDAP
>> > client could understand (it's not a referral it's a double hop).
>> >
>> > I'm intrigued by what you say about the detail you can get back from
>> > an LDAP bind to AD, I have never checked that although I ran into an
>> > issue this week where the Microsoft LDAP client seemed to be dropping
>> > information that did come back over the wire against ADAM. I'll do
>> > some testing I guess.
>> >
>> > Lee Flight
>> >
>> > "Darwin Ten Haken" <darwin.tenhaken@iowa.gov-NOSPAM> wrote in message
>> > news:50381FB0-B3FA-4304-8A0C-852A2A249DA4@microsoft.com...
>> >> When I connect via LDAP directly to AD, I do get error codes back that
>> >> indicate if it is an account lockout, password expiraction, password
>> >> must
>> >> change at next logon, etc.. but I don't appear to get these error
>> >> codes
>> >> when binding via the ADAM userproxy object. Thus it seems that either
>> >> ADAM
>> >> doesn't support it or I don't have ADAM setup right.
>> >>
>> >>
>> >>
>> >> "Joe Kaplan (MVP - ADSI)" wrote:
>> >>
>> >>> You are not missing anything. LDAP bind does not reveal any
>> >>> information
>> >>> as
>> >>> to the nature of the failure. This is in part for security reasons,
>> >>> but
>> >>> is
>> >>> also one of the major drawbacks of using LDAP for authentication
>> >>> purposes.
>> >>>
>> >>> Joe K.
>> >>>
>> >>> "Darwin Ten Haken" <darwin.tenhaken@iowa.gov-NOSPAM> wrote in message
>> >>> news:E270A512-B8E7-49CA-A04D-842D97398BEA@microsoft.com...
>> >>> >
>> >>> > I have a test ADAM instance runing on a Win2k3 server. I have
>> >>> > built
>> >>> > test
>> >>> > userProxy objects that point to AD users. When connecting via LDAP
>> >>> > to
>> >>> > ADAM
>> >>> > the proxy is working if the password provided to ADAM is the AD
>> >>> > password.
>> >>> > If
>> >>> > the AD user account is set to change password at next login,
>> >>> > password
>> >>> > expired, account locked, account disabled, etc... I simply get a
>> >>> > bind
>> >>> > failure and don't seem to get any detailed LDAP error back as to
>> >>> > why
>> >>> > the
>> >>> > bind
>> >>> > failed. Am I missing something?
>> >>> >
>> >>> > I have also tried to find a way to issue LDIFDE to change a
>> >>> > password
>> >>> > of
>> >>> > the
>> >>> > ADAM user proxy and it fails, but when I point LDIFDE to the AD
>> >>> > server
>> >>> > it
>> >>> > works. Is there a way to change a password via the userProxy
>> >>> > object?
>> >>> >
>> >>> > ADAM appears to be a great way to create a flat name space of
>> >>> > proxyusers
>> >>> > that point to users in multiple forests, but I am limited in how I
>> >>> > can
>> >>> > recommend its use if the userProxy object doesn't allow for
>> >>> > granular
>> >>> > LDAP
>> >>> > errors and the ability to react to the errors. (Change passwords
>> >>> > and
>> >>> > unlock
>> >>> > of user accounts being the big ones)
>> >>> >
>> >>> > --
>> >>> > Darwin Ten Haken
>> >>> > State of Iowa
>> >>>
>> >>>
>> >>>
>> >
>> >
>>
>>
>>