Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: ohaya <ohaya@xxxxxxx>
- Date: Sat, 29 Apr 2006 08:31:12 -0400
Hi,
I'm starting to wonder if it might be something OUTSIDE of the
configuration of AD itself might be causing this behavior?
Specifically, I'm wondering whether maybe something like the AD-to-DNS
server relationship is different between the two different AD instance
configurations?
For example, if one configuration were using an integrated DNS server
vs. the other using a separate DNS server, or maybe the DNS
configuration (Network->Advanced->DNS tab) settings is different between
the two AD machines?
For reference, the test AD instance that I have here at home, which
doesn't exhibit this "UPN format only" problem, was built with an
integrated DNS server configuration (i.e., I installed MS DNS server
when I did the DCPROMO to turn the machine into an AD) with the default
network/DNS settings from the Win2K3 installation.
I've asked the guys at work to check on this next week, but I was
wondering if anyone here might have an idea if something like this might
be causing the difference? Would something in the DNS configuration
cause AD not to be able to accept userDN for simple binds, whereas UPNs
would work?
I know that this is a 'long shot', but I'm kind of running out of ideas
:(!!
Thanks,
Jim
"Joe Kaplan (MVP - ADSI)" wrote:
.
In the local security policy, go to the auditing section and enable both
success and failure audits of logon events. This will populate the security
event log with lots of gory details about what's going on with your
authentications. This is also something I would consider a best practice
for most Windows server deployments.
Joe K.
"ohaya" <ohaya@xxxxxxx> wrote in message news:4452D235.6B683254@xxxxxxxxxx
Joe,
I know it's weird :(...
I can't duplicate the problem on a different test AD/2003 I have at home
either. I've even tried some odd stuff like changing the
userPrincipalName in the AD so that the first part is be different than
the CN, I could still do a simple bind using either the full user DN or
the UPN.
When you say "try auditing logon events on the DC", is there something I
need to enable this? If so, can you describe?
As I mentioned, I did a ldifde to export, and I couldn't see anything
strange in there.
I definitely will post back if I find anything.
Thanks for your help.
Jim
- References:
- AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: ohaya
- Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: Joe Kaplan \(MVP - ADSI\)
- Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: ohaya
- Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: Joe Kaplan \(MVP - ADSI\)
- Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: ohaya
- Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- From: Joe Kaplan \(MVP - ADSI\)
- AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- Prev by Date: Re: Restricted group Syntax Question
- Next by Date: Re: ktpass changed my UPN
- Previous by thread: Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- Next by thread: Re: AD/Simple bind - Why "user DN" fails, but "UPN-format" works?
- Index(es):
Relevant Pages
|
