Re: ADAMs replica doesn't have any passwords?

Hi Lee,

Did you have the Builtin Administrators in the Administrators role
in the configuration Naming context
CN=Administrators,CN=Roles,CN=Configuration,CN={GUID}
rather than the Administrators role of the application partition?

I've got both of those in the Administrators role.

I assume you got prompted to restart the server after the restore
and that the message in the ADAM instance event log confirmed
the change of server name etc.

Yes, I had those messages in the event log, didn't see any errors...although
I found one (not sure what I did to make it happen )but this is what it says:

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

The ssl certificate on this new machine is set up but not in full as in it
is registered for the mywebsite.com but this site lives on the production
server right now, so the only way I can access the copy of this site on the
new machine is by https://myIP/default.aspx...we haven't propogated the dns
change yet because adam is not set up, so we can't move the production....and
untill then the certificate does not match the site name, so it would prompt
me with warning
'the name of the certificate is not valid or does not match the name of the
site', which is expected of course untill I'll kill the old site. But that's
the only thing that's bad about the new ssl certificate. My network account
does have access to the
documentsandsettings/allusers/appData/microsoft/crypt/machinekeys (or
something like that) folder where all the keys reside, so that shouldn't be a
problem. So anyway, I'm trying to disable ssl connection for adam right now
and I've tried the 'allow passwd op on unsecure connections'...but this is
what it tells me:
Search on DS Behavior object failed with error: 32
32 (No Such Object).
Ldap extended error message is 0000208D: NameErr: DSID-03152110, proble
O_OBJECT), data 0, best match of:
'CN=Configuration,CN={GUID}'

Win32 error returned is 0x208d(Directory object not found.)
..
Failed to modify DS Behavior to reset password over unsecured network.

(nothing in event log)
(gives same error when I do list current ds-behavior)

I've checked the regestry and under
currentSomethingSet/services/adam_instance/Parameters
there are a bunch of entries (such as machineDNname) that have the
cn=configuration,cn={GUID}
and the guid in the registry does not match the guid that I have in the
partition tree and in the error above...is that how it supposed to be? (tried
changing it to match, but that didn't help).

however, I was able to do Set ADAMDisablePasswordPolicies to 1 and
RequireSecureSimpleBind is 0

Thank you,
Olga B.


Tried to change dsHeuristics to 0000000001000 (which has something to do
with being able to set passwords)..but can't - insufficient rights for
some
reason.

Now I'm able to login to my app using this instance of adam, but again, as
in the case with replication (see all the posts above) it only
authenticates
me after I manually reset the password for that user...grrrrrr
something tells me it's the ssl problem...I thought I went through all the
recommended steps to make it go through without using the ssl port...maybe
there was another spot where I've missed it...could you please specify all
the places where I have to change that?

I tried a repro and I did not need to reset the password of a user in the
application
partition but clearly my configuration is not identical to yours. On
passwords
the things I usually do when *debugging* are:

In dsmgmt.exe, DS Behavior sub-menu, connect to the server and then
Allow passwd op on unsecured connection

In dsmgmt.exe, configurable setting sub-menu, connect to the server and
then
Set ADAMDisablePasswordPolicies to 1

In the same menu the default value of RequireSecureSimpleBind is 0, meaning
that an ADAM user need not bind over SSL.

Lee Flight



.

Relevant Pages

  • RE: SSL MITM not on port 443
    ... Have you ever done what you're trying to do on a "normal" SSL web ... My recommendation would be to set up a web server in your lab ... hopes that the client will accept that certificate. ... SSL MITM not on port 443 ...
    (Pen-Test)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: "Could not connect to server" error when accessing Outlook 200
    ... Perhaps when you connect via RDP, you have to use SSL. ... The server you are connected to is using a security certificate ... A certificate chain processed, but terminated in a root certificate which is ... Settings on the Advanced tab. ...
    (microsoft.public.outlook.installation)
  • Re: Publish SSL Web Server behind SBS2003
    ... > How to configure a certificate for use with a Web publishing rule in ISA ... > Server 2004 ... > RWW/OWA for SSL encryption. ... Right click the SSL Web Site and click Properties. ...
    (microsoft.public.windows.server.sbs)
Loading