Re: The specified Directory Service has denied access
- From: Lady Frances <LadyFrances@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 May 2006 01:27:02 -0700
Thank you for your answer, Christoffer.
The thing is I do not wish to enable anonymous ldap binding (unless I have
misunderstood the word and that "anonymous" means that the user is not
authentified in any domain).
What I am trying to achieve is the ldap directory to be available to users
(who belong to the AD forest and) who have provided their username and
password in the address book account . They would be able to access the ldap
directory although they are not logged onto a domain. Is this possible?
Another thing is that the dsHeuristics setting for the instance is not set.
Is that normal? And, as I cannot modifiy the value of the seventh character,
should I set the value to 0000002001001?
As you might have gathered, I am quite new in the field so any help would be
greatly appreciated.
Frances
"chriss3 [MVP]" wrote:
Hello, to allow anonymous connection to the ADAM instance application.
directory partition you will need to modify dsHeuristics setting for
the instance. See:
ADAM Help File
How To section
Manage an ADAM instance
Allow anonymous LDAP binding to an ADAM instance
You then need to modify the ACEs on the partition entries using
DSACLs or by adding a security principal to one of the ADAM builtin
roles for the partition e.g. Readers role.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources
"Lady Frances" <LadyFrances@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:576BDEE8-B646-4BDF-9897-FC3A4D2320DD@xxxxxxxxxxxxxxxx
I have installed ADAM on a front-end server which is in the DMZ.
There is no problem accessing the ldap directory from our network i.e.
when
one is logged onto the domain.
But when trying to access the directory from the internet (using wab), I
get
the following error: "The specified Directory Service has denied access.
Check the Properties for this Directory Service and verify that your
Authentication Type settings and parameters are correct.".
I noticed that the system hosting ADAM uses the client's Windows logon
information and not the Directory Service Account information. The event
viewer shows this:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 17.05.2006
Time: 10:05:38
User: NT AUTHORITY\SYSTEM
Computer: [Server hosting the ADAM instance]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: [Windows XP logon username]
Domain: [Client workstation name]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Is there any specific configuration I need to enable the ldap directory to
be accessed using the credentials provided as the Directory's Service
Account, regardless of what information is used to log onto the Windows
session?
Thanks in advance,
Frances
- Follow-Ups:
- Re: The specified Directory Service has denied access
- From: chriss3 [MVP]
- Re: The specified Directory Service has denied access
- References:
- Re: The specified Directory Service has denied access
- From: chriss3 [MVP]
- Re: The specified Directory Service has denied access
- Prev by Date: Re: Certificate and Kerberos event errors 0xc1001014 & 0xc0000071
- Next by Date: Re: Netlogon Server
- Previous by thread: Re: The specified Directory Service has denied access
- Next by thread: Re: The specified Directory Service has denied access
- Index(es):
Relevant Pages
|
