Re: ADAM - ldp bind credentials change when using machine account
- From: Sarah <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2007 22:03:02 -0700
Hi Joe,
The SPN's are set on CN=WIDGEE,OU=Domain Controllers,DC=sarahsvm,DC=local
and the the DNS is an A record.
While poking around SPN's today we noticed that just after installation the
ports initially appear on the new SPN's,
ldap/widgee.sarahsvm.local:50000
ldap/widgee:50000
But very soon after appear dissapear. This is with no client activity at all
and re-starting the service will have them back in there.
The SPNs in the following formats
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\netbiosname:port
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\dnshostname:port
do retain the port.
Also today I realized that the first 'abnormality' we come across is that
when the instance service is created to run under the NT AUTHORITY\NETWORK
SERVICE account the Service Connection Point object is unable to be created
and the ADAM event log will say:
The directory server has failed to create the ADAM serviceConnectionPoint
object in the Active Directory. This operation will be retried.
User Action
If ADAM is running under a local service account, it will be unable to
update the data in the Active Directory. Consider changing the ADAM service
account to either NetworkService or a domain account.
This is in direct contrast to what we are seeing as all seems to go well if
we set the service to run as LocalSystem. If it is not created during
installation we create the SCP object.
Among other things Microsoft also looked at SPN's and had the developer who
is liasing with them (we are on different continents) enter them in manually.
They also gave him a slightly different tool set, new ldp etc and he was able
to bind to ADAM using the computers credentials by the end of the phone call.
Unfortunately after about an hour he was backing to authenticating as
anonymous.
Regards Sarah.
"Joe Kaplan" wrote:
Ok, if you do a search in AD for the domain the ADAM server is a member of,.
which account has this SPN set on it?
LDAP/widgee.sarahsvm.local
Also, in DNS is widgee.sarahsvm.local an A record?
There is a good chance that the MS support person will have a much better
chance of figuring this out than I will, but I figured I'd ask a few more
questions anyway.
The behavior sounds a little like the Kerb ticket expiring after 8 hours.
Perhaps your connection to ADAM is staying open for a very long time and the
ticket needs to get refreshed or something? Did you try doing something to
ensure that you release all of your COM objects pointing to the ADAM
instance periodically? Maybe that would help.
Also, why use ADSI if using C++? By the time I've decided to write C++
code, ADSI COM programming looks less attractive to me...
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"pippo" <pippo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C3C8791F-0456-4302-8181-CF5BA5C57DAF@xxxxxxxxxxxxxxxx
Hi Joe,
Thanks for replying - I replied to you inline.
This sounds like a Kerberos problem of some sort, although the fact that
it is intermittent is a little weird.
I agree its very weird, why it works and doesnt work for periods of time
has
us stumped. The other day I had our software working without a hitch for
hours only to find the next day I was getting the same old errors. My
co-worker has dubbed ADAM as 'Another Day Another Migraine' :).
I actually kind of wonder if those Kerberos errors are actually related
for some reason.
"I wondered that too. With or without ADAM installed there are a number of
Kerberos errors logged on server start but from what I read on the net its
pretty normal ie: "Kerberos service hung on startup". With ADAM installed
there is a KDC_ERR_BADOPTION error logged religiously every 15 minutes.
Unfortunately I dont think I had the server running without ADAM long
enough
to see if these errors occur without ADAM installed but I will do that. I
did
spend a little time poking around the Kerberos ticketing system on the
server
and client but I didnt see anything I thought was abnormal, or really even
related. The way the program was working/not working did seem to indicate,
caching, timeouts etc but I dont know what of."
Is it possible there is anything strange about the ADAM server from a
Kerb perspective?
"Its possibile ADAM and Kerberos have a 'thing going on', I will see if I
can find anything about it on the net. Our ADAM instance is about as
simple
as they get, we add a container for computer objects and a container for
user
objects. In efforts to make it work we have allowed ANONYMOUS LOGON and
given
EVERYBODY all access etc. When it is working these settings are not
necessary
and also not desired in the long run. "
Is there a load balancer in front of the ADAM instances?
"No load balancer, the only sofware installed on the server is Visual
Studio
6 and ADAM"
Are there any funny DNS aliases?
"No funny DNS aliases, the client is a just a member of the server and the
server is the DNS server. The test scenario is run with on VMWare using
NAT
but the problem is easily reproduced on non virtual clients and a server."
Are you using the Network Service or Local System account to run the
ADAM instance or a fixed service account?
"We have tried both Network Service and Local Sytem with the same results.
At times stopping the service and changing this would somehow seem to set
it
working immediately, at other times that is not the case."
What DNS name are you using to access the ADAM instance?
"The server is the DNS server for the client, both are have fixed IP
addresses.
Our software, a local system service (or test executable), either wants to
open or create and open a computer object in ADAM. We will take the
current
computer's DN like CN=SARAH-VM-XP,CN=Computers,DC=sarahsvm,DC=local, look
up
the objectSid in Active Directory, convert it to a string using a function
we
found in MSDN to convert without using the ConvertSidToStringSid function
and
then finaly attempt to open the object using a string like
LDAP://widgee.sarahsvm.local:50000/CN=S-1-5-21-1347885190-717324418-811821162-1134,CN=Computers,CN=PDPartition.
If the object exists in ADAM the AdsOpenObject may succeed or on other
occasions may fail with 'an operations error'. To create the object we
open
our ADAM computers container, call create on the container with the
computer's SID string as the name, ie:
{"CN=S-1-5-21-1347885190-717324418-811821162-1134"}. The we query the
IID_IADs interface of the new object, modify some attributes then commit
with
setInfo. In this instance opening the computer container may fail with
'no
such object exists' even though it does.
My first post was about ldp.exe which we run because we are pretty sure
our
application has 'the credential problem', we think, as exhibited by
ldp.exe.
We have now enlisted Microsoft Technical Support so we are hoping they
will
be able to reproduce and understand our issues but if you think of
anything
that may help us figure out what is going on that would be greatly
appreciated too.
Regards Sarah.
"Joe Kaplan" wrote:
This sounds like a Kerberos problem of some sort, although the fact that
it
is intermittent is a little weird. I actually kind of wonder if those
Kerberos errors are actually related for some reason.
Is it possible there is anything strange about the ADAM server from a
Kerb
perspective? Is there a load balancer in front of the ADAM instances?
Are
there any funny DNS aliases? Are you using the Network Service or Local
System account to run the ADAM instance or a fixed service account? What
DNS name are you using to access the ADAM instance?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Sarah" <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA781848-39AC-4B0A-BB7F-77817EDF2F83@xxxxxxxxxxxxxxxx
The server is 2003 SP2 with ADAM SP1. The client is XP SP2. Both are
fully
updated.
We run ldp.exe using the AT command. ie: AT 1:37pm /interactive
c:\ldp.exe
We connect to our ADAM instance and bind as the currently logged on
user.
For a period of time (hours or minutes, usually hours) it will
authenticate
using the machine account ie: Authenticated as:
'SARAHSVM\SARAH-VM-XP$'.
and then for some reason it will start authenticating as anonymous:
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' for an number of hours
or
minutes. It doesnt matter if you disconnect and reconnect or run a new
ldp.exe.
We cant understand why this switches although sometimes stopping and
starting the instance service on the server will make it switch or
rebooting
the client or server will too.. or it might be coincidental.
On the server, you can see that the machine credentials are
authenticated
by
Kerberos and that the anonymous logons are authenticated by NTLM, I
dont
know
if NTLM authenticates the credentials because they are anonymous or it
is
an
anonymous logon because NTLM authenticated it.
We have kerberos logging on and there are no extraordinary error events
in
the system event log (there are some KDC_ERR_S_PRINCIPAL_UNKNOWN and
KDC_ERR_BADOPTION errors but they dont seem related). The only
difference
between both types of logons in the ldp output window are times and
'Authenticated as'.
The reason why we are investigating this is because we have a client
application that runs a service that needs to bind to Adam objects in
our
partition. This also works for a period of time then wont for a period
of
time, then it will. The error, when it occurs is 0x80072020 (An
operations
error occurred). It exhibits the same behaviour as ldp when attempting
to
use
the machine's credentials.
Its not reasonable for our application to bind using user credentials
and
we
give computer objects in ADAM the right to access themselves.
If anyone could shed some light on this situation that would be greatly
appreciated.
Sorry if this appears twice but I think I fluffed the first attemp.
- Follow-Ups:
- Re: ADAM - ldp bind credentials change when using machine account
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM - ldp bind credentials change when using machine account
- References:
- Prev by Date: Re: AD changes
- Next by Date: Replication not happening
- Previous by thread: Re: ADAM - ldp bind credentials change when using machine account
- Next by thread: Re: ADAM - ldp bind credentials change when using machine account
- Index(es):
Relevant Pages
|
