Re: ADAM Bind to alias pointing local server fails

---

• From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
• Date: Mon, 20 Feb 2006 12:28:41 -0000

---

Hi

in negotiated authentication you will need to update the
servicePrincipalName
attribute of the computer account that hosts the ADAM instance to add access
for LDAP against the DNS alias in order for Kerberos access to work. You
can do this from the command line using setspn.exe.

setspn <netbiosname of ADAM machine>

to list the current SPNs you should see that a subset of these agree with
the ADAM SPNs specified in the ADAM Help file

ADAM Help
Administering ADAM
Administering ADAM service principal names

You can add an SPN for LDAP on a DNS alias name e.g.

setspn -A ldap/adam.mydomain.com:<adam port number> < netbiosname of ADAM
machine>

looking at the list of existing SPNs for the computer account should give
you
the idea.

Notes:

You will probably need to be a domain admin to update the SPNs.

You can also use repadmin /writespn as per the ADAM Help instead of setspn

Apart from LDAP\dnshostname:port, you will see SPNs for

E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\netbiosname:port

that are used for replication, I do not believe that you will need to add to
that
as you should probably only be using the primary host name when setting up
replication (IMO).

Lee Flight


"Craig Gilmour" <CraigGilmour@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6438DAF-CDE6-436E-9787-37BEA53BEA12@xxxxxxxxxxxxxxxx

All,
I have a weird one that I would appreciate some help on. I have
attempted
this on three separate Visrtual Server instances as well as two production
servers, so it is not a specific server problem.

Scenario:

The Domain is running Windows 2000
Windows2003 Member Server Server called: myserver.mydomain.com IP
192.168.0.5
DNS Alias called: adam.mydomain.com referencing myserver.mydomain.com

The Windows user I am logged on has full admin rights over the server,
domain admin rights over the domain and full rights over ADAM.

What I can do:
1.0 run LDP on any other host other than myserver and connect and bind to
the ADAM instance using Wndows Credentials (currently logged on user)
using
the actual hostname, IP Address or DNS Alias.

2.0 Run ldp on myserver and connect / bind as the currently logged on user
using the actual host name, localhost, the IP Address.

What I can't do is:

3.0 Run ldp on myserver and connect / bind as the currently logged on user
using the DNS Alias (adam.mydomain.com). I get a bind failure - invalid
credentials

I have tried setting a host file entry instead, all to no avail. Does
anyone
have any ideas?

Following is the output from LDP (I have only included the tail end of the
connection output)

1> highestCommittedUSN: 17316;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
1> dnsHostName: sqlserv.corp.riotinto.org;
1> serverName:
CN=MYSERVER$MYINSTANCE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={1F20A0DA-D571-448F-A298-3D8A0CE8901C};
3> supportedCapabilities: 1.2.840.113556.1.4.1851 = (
LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID ); 1.2.840.113556.1.4.1791 = (
LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID ); 1.2.840.113556.1.4.1880 = (
LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST );
1> isSynchronized: TRUE;
1> forestFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed

.

---

• Follow-Ups:
  • Re: ADAM Bind to alias pointing local server fails
    • From: Craig Gilmour

• Prev by Date: Re: Server Fails dcdiag VerifyReferences
• Next by Date: Re: Server 2003 AD into 2000 AD
• Previous by thread: rsop.msc -> RSoP data is invalid.
• Next by thread: Re: ADAM Bind to alias pointing local server fails
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADAM Bind to alias pointing local server fails ... both sets of ADAM SPNs that match both DNS names for the A records? ... DNS alias from another machine without a problem. ... instance from another server. ... (microsoft.public.windows.server.active_directory) Re: ADAM Bind to alias pointing local server fails ... you do not want duplicate SPNs that will break the Kerberos auth. ... ADAM replica that I will failover to if necessary. ... instance from another server. ... (microsoft.public.windows.server.active_directory) Re: ADAM Bind to alias pointing local server fails ... then create a service account in AD to run both ADAM services, ... both sets of ADAM SPNs that match both DNS names for the A records? ... instance from another server. ... (microsoft.public.windows.server.active_directory) Re: ADAM Bind to alias pointing local server fails ... ADAM replica that I will failover to if necessary. ... DNS alias from another machine without a problem. ... instance from another server. ... the ADAM SPNs specified in the ADAM Help file ... (microsoft.public.windows.server.active_directory) Re: Annoying problem with GTK apps ... clients can connect from any host ... > adam:~# synaptic ... Also try setting your DISPLAY env. ... (Debian-User)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-02