Re: ADAM - ldp bind credentials change when using machine account
- From: pippo <pippo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2007 00:58:00 -0700
In addition to my last post, I see that the 15min Kerberos erros are logged
even if ADAM isnt installed, which probably rules those out as any indicator
of our problem.
Regards Sarah.
"pippo" wrote:
Hi Joe,.
Thanks for replying - I replied to you inline.
This sounds like a Kerberos problem of some sort, although the fact that it is intermittent is a little weird.
I agree its very weird, why it works and doesnt work for periods of time has
us stumped. The other day I had our software working without a hitch for
hours only to find the next day I was getting the same old errors. My
co-worker has dubbed ADAM as 'Another Day Another Migraine' :).
I actually kind of wonder if those Kerberos errors are actually related for some reason.
"I wondered that too. With or without ADAM installed there are a number of
Kerberos errors logged on server start but from what I read on the net its
pretty normal ie: "Kerberos service hung on startup". With ADAM installed
there is a KDC_ERR_BADOPTION error logged religiously every 15 minutes.
Unfortunately I dont think I had the server running without ADAM long enough
to see if these errors occur without ADAM installed but I will do that. I did
spend a little time poking around the Kerberos ticketing system on the server
and client but I didnt see anything I thought was abnormal, or really even
related. The way the program was working/not working did seem to indicate,
caching, timeouts etc but I dont know what of."
Is it possible there is anything strange about the ADAM server from a Kerb perspective?
"Its possibile ADAM and Kerberos have a 'thing going on', I will see if I
can find anything about it on the net. Our ADAM instance is about as simple
as they get, we add a container for computer objects and a container for user
objects. In efforts to make it work we have allowed ANONYMOUS LOGON and given
EVERYBODY all access etc. When it is working these settings are not necessary
and also not desired in the long run. "
Is there a load balancer in front of the ADAM instances?
"No load balancer, the only sofware installed on the server is Visual Studio
6 and ADAM"
Are there any funny DNS aliases?
"No funny DNS aliases, the client is a just a member of the server and the
server is the DNS server. The test scenario is run with on VMWare using NAT
but the problem is easily reproduced on non virtual clients and a server."
Are you using the Network Service or Local System account to run the ADAM instance or a fixed service account?
"We have tried both Network Service and Local Sytem with the same results.
At times stopping the service and changing this would somehow seem to set it
working immediately, at other times that is not the case."
What DNS name are you using to access the ADAM instance?
"The server is the DNS server for the client, both are have fixed IP
addresses.
Our software, a local system service (or test executable), either wants to
open or create and open a computer object in ADAM. We will take the current
computer's DN like CN=SARAH-VM-XP,CN=Computers,DC=sarahsvm,DC=local, look up
the objectSid in Active Directory, convert it to a string using a function we
found in MSDN to convert without using the ConvertSidToStringSid function and
then finaly attempt to open the object using a string like
LDAP://widgee.sarahsvm.local:50000/CN=S-1-5-21-1347885190-717324418-811821162-1134,CN=Computers,CN=PDPartition.
If the object exists in ADAM the AdsOpenObject may succeed or on other
occasions may fail with 'an operations error'. To create the object we open
our ADAM computers container, call create on the container with the
computer's SID string as the name, ie:
{"CN=S-1-5-21-1347885190-717324418-811821162-1134"}. The we query the
IID_IADs interface of the new object, modify some attributes then commit with
setInfo. In this instance opening the computer container may fail with 'no
such object exists' even though it does.
My first post was about ldp.exe which we run because we are pretty sure our
application has 'the credential problem', we think, as exhibited by ldp.exe.
We have now enlisted Microsoft Technical Support so we are hoping they will
be able to reproduce and understand our issues but if you think of anything
that may help us figure out what is going on that would be greatly
appreciated too.
Regards Sarah.
"Joe Kaplan" wrote:
This sounds like a Kerberos problem of some sort, although the fact that it
is intermittent is a little weird. I actually kind of wonder if those
Kerberos errors are actually related for some reason.
Is it possible there is anything strange about the ADAM server from a Kerb
perspective? Is there a load balancer in front of the ADAM instances? Are
there any funny DNS aliases? Are you using the Network Service or Local
System account to run the ADAM instance or a fixed service account? What
DNS name are you using to access the ADAM instance?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Sarah" <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA781848-39AC-4B0A-BB7F-77817EDF2F83@xxxxxxxxxxxxxxxx
The server is 2003 SP2 with ADAM SP1. The client is XP SP2. Both are fully
updated.
We run ldp.exe using the AT command. ie: AT 1:37pm /interactive c:\ldp.exe
We connect to our ADAM instance and bind as the currently logged on user.
For a period of time (hours or minutes, usually hours) it will
authenticate
using the machine account ie: Authenticated as: 'SARAHSVM\SARAH-VM-XP$'.
and then for some reason it will start authenticating as anonymous:
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' for an number of hours or
minutes. It doesnt matter if you disconnect and reconnect or run a new
ldp.exe.
We cant understand why this switches although sometimes stopping and
starting the instance service on the server will make it switch or
rebooting
the client or server will too.. or it might be coincidental.
On the server, you can see that the machine credentials are authenticated
by
Kerberos and that the anonymous logons are authenticated by NTLM, I dont
know
if NTLM authenticates the credentials because they are anonymous or it is
an
anonymous logon because NTLM authenticated it.
We have kerberos logging on and there are no extraordinary error events in
the system event log (there are some KDC_ERR_S_PRINCIPAL_UNKNOWN and
KDC_ERR_BADOPTION errors but they dont seem related). The only difference
between both types of logons in the ldp output window are times and
'Authenticated as'.
The reason why we are investigating this is because we have a client
application that runs a service that needs to bind to Adam objects in our
partition. This also works for a period of time then wont for a period of
time, then it will. The error, when it occurs is 0x80072020 (An operations
error occurred). It exhibits the same behaviour as ldp when attempting to
use
the machine's credentials.
Its not reasonable for our application to bind using user credentials and
we
give computer objects in ADAM the right to access themselves.
If anyone could shed some light on this situation that would be greatly
appreciated.
Sorry if this appears twice but I think I fluffed the first attemp.
- References:
- Prev by Date: Re: RPC cancelled
- Next by Date: Re: Multiple Domains
- Previous by thread: Re: ADAM - ldp bind credentials change when using machine account
- Next by thread: Windows cannot verify >>>
- Index(es):
Relevant Pages
|
