Re: ADAM - ldp bind credentials change when using machine account
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 10 Jun 2007 17:16:07 -0500
This sounds like a Kerberos problem of some sort, although the fact that it
is intermittent is a little weird. I actually kind of wonder if those
Kerberos errors are actually related for some reason.
Is it possible there is anything strange about the ADAM server from a Kerb
perspective? Is there a load balancer in front of the ADAM instances? Are
there any funny DNS aliases? Are you using the Network Service or Local
System account to run the ADAM instance or a fixed service account? What
DNS name are you using to access the ADAM instance?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Sarah" <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA781848-39AC-4B0A-BB7F-77817EDF2F83@xxxxxxxxxxxxxxxx
The server is 2003 SP2 with ADAM SP1. The client is XP SP2. Both are fully
updated.
We run ldp.exe using the AT command. ie: AT 1:37pm /interactive c:\ldp.exe
We connect to our ADAM instance and bind as the currently logged on user.
For a period of time (hours or minutes, usually hours) it will
authenticate
using the machine account ie: Authenticated as: 'SARAHSVM\SARAH-VM-XP$'.
and then for some reason it will start authenticating as anonymous:
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' for an number of hours or
minutes. It doesnt matter if you disconnect and reconnect or run a new
ldp.exe.
We cant understand why this switches although sometimes stopping and
starting the instance service on the server will make it switch or
rebooting
the client or server will too.. or it might be coincidental.
On the server, you can see that the machine credentials are authenticated
by
Kerberos and that the anonymous logons are authenticated by NTLM, I dont
know
if NTLM authenticates the credentials because they are anonymous or it is
an
anonymous logon because NTLM authenticated it.
We have kerberos logging on and there are no extraordinary error events in
the system event log (there are some KDC_ERR_S_PRINCIPAL_UNKNOWN and
KDC_ERR_BADOPTION errors but they dont seem related). The only difference
between both types of logons in the ldp output window are times and
'Authenticated as'.
The reason why we are investigating this is because we have a client
application that runs a service that needs to bind to Adam objects in our
partition. This also works for a period of time then wont for a period of
time, then it will. The error, when it occurs is 0x80072020 (An operations
error occurred). It exhibits the same behaviour as ldp when attempting to
use
the machine's credentials.
Its not reasonable for our application to bind using user credentials and
we
give computer objects in ADAM the right to access themselves.
If anyone could shed some light on this situation that would be greatly
appreciated.
Sorry if this appears twice but I think I fluffed the first attemp.
.
- Follow-Ups:
- Prev by Date: Re: modifica password user Active Directory Constraint Violation
- Next by Date: Re: AD Configuration and Disaster Recovery
- Previous by thread: Re: Multiple Domains
- Next by thread: Re: ADAM - ldp bind credentials change when using machine account
- Index(es):
Relevant Pages
|
