Re: ADAM - ldp bind credentials change when using machine account

My probability estimates are that there's a 19% chance that the ADAM LDAP
SPN will be present. They get re-registered once an hour, and they stay
alive for an average of 11 minutes. Restarting ADAM often will improve the
probability, because it re-registers SPNs on restart.

Seriously, running ADAM on a DC is not a good idea anyway.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23VpWy8RrHHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
Ah, that's very interesting. I missed the fact that ADAM was running on a
DC here. It makes sense.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OLk1cdRrHHA.2368@xxxxxxxxxxxxxxxxxxxxxxx
The DC regularly whacks any "foreign" LDAP SPNs on its computer account.
This is why ADAM's SPNs disappear. Then ADAM registers them again, and
then they get whacked again. ADAM registers them once an hour. DC whacks
them once every 22 minutes. You do the math.

This behavior is why we don't recommend running ADAM on a DC as
NetworkService. You should either run it under a named user account, or
better, don't run ADAM on a DC at all.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Sarah" <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:16042656-2CA0-4EE7-B665-8A0763E27346@xxxxxxxxxxxxxxxx
Hi Joe,

The SPN's are set on CN=WIDGEE,OU=Domain
Controllers,DC=sarahsvm,DC=local
and the the DNS is an A record.

While poking around SPN's today we noticed that just after installation
the
ports initially appear on the new SPN's,

ldap/widgee.sarahsvm.local:50000
ldap/widgee:50000

But very soon after appear dissapear. This is with no client activity at
all
and re-starting the service will have them back in there.

The SPNs in the following formats

E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\netbiosname:port
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\dnshostname:port

do retain the port.

Also today I realized that the first 'abnormality' we come across is
that
when the instance service is created to run under the NT
AUTHORITY\NETWORK
SERVICE account the Service Connection Point object is unable to be
created
and the ADAM event log will say:

The directory server has failed to create the ADAM
serviceConnectionPoint
object in the Active Directory. This operation will be retried.

User Action
If ADAM is running under a local service account, it will be unable to
update the data in the Active Directory. Consider changing the ADAM
service
account to either NetworkService or a domain account.

This is in direct contrast to what we are seeing as all seems to go well
if
we set the service to run as LocalSystem. If it is not created during
installation we create the SCP object.

Among other things Microsoft also looked at SPN's and had the developer
who
is liasing with them (we are on different continents) enter them in
manually.
They also gave him a slightly different tool set, new ldp etc and he was
able
to bind to ADAM using the computers credentials by the end of the phone
call.
Unfortunately after about an hour he was backing to authenticating as
anonymous.

Regards Sarah.

"Joe Kaplan" wrote:

Ok, if you do a search in AD for the domain the ADAM server is a member
of,
which account has this SPN set on it?

LDAP/widgee.sarahsvm.local

Also, in DNS is widgee.sarahsvm.local an A record?

There is a good chance that the MS support person will have a much
better
chance of figuring this out than I will, but I figured I'd ask a few
more
questions anyway.

The behavior sounds a little like the Kerb ticket expiring after 8
hours.
Perhaps your connection to ADAM is staying open for a very long time
and the
ticket needs to get refreshed or something? Did you try doing
something to
ensure that you release all of your COM objects pointing to the ADAM
instance periodically? Maybe that would help.

Also, why use ADSI if using C++? By the time I've decided to write C++
code, ADSI COM programming looks less attractive to me...

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"pippo" <pippo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C3C8791F-0456-4302-8181-CF5BA5C57DAF@xxxxxxxxxxxxxxxx
Hi Joe,

Thanks for replying - I replied to you inline.

This sounds like a Kerberos problem of some sort, although the fact
that
it is intermittent is a little weird.

I agree its very weird, why it works and doesnt work for periods of
time
has
us stumped. The other day I had our software working without a hitch
for
hours only to find the next day I was getting the same old errors. My
co-worker has dubbed ADAM as 'Another Day Another Migraine' :).

I actually kind of wonder if those Kerberos errors are actually
related
for some reason.

"I wondered that too. With or without ADAM installed there are a
number of
Kerberos errors logged on server start but from what I read on the
net its
pretty normal ie: "Kerberos service hung on startup". With ADAM
installed
there is a KDC_ERR_BADOPTION error logged religiously every 15
minutes.
Unfortunately I dont think I had the server running without ADAM long
enough
to see if these errors occur without ADAM installed but I will do
that. I
did
spend a little time poking around the Kerberos ticketing system on
the
server
and client but I didnt see anything I thought was abnormal, or really
even
related. The way the program was working/not working did seem to
indicate,
caching, timeouts etc but I dont know what of."

Is it possible there is anything strange about the ADAM server from
a
Kerb perspective?

"Its possibile ADAM and Kerberos have a 'thing going on', I will see
if I
can find anything about it on the net. Our ADAM instance is about as
simple
as they get, we add a container for computer objects and a container
for
user
objects. In efforts to make it work we have allowed ANONYMOUS LOGON
and
given
EVERYBODY all access etc. When it is working these settings are not
necessary
and also not desired in the long run. "

Is there a load balancer in front of the ADAM instances?

"No load balancer, the only sofware installed on the server is Visual
Studio
6 and ADAM"

Are there any funny DNS aliases?

"No funny DNS aliases, the client is a just a member of the server
and the
server is the DNS server. The test scenario is run with on VMWare
using
NAT
but the problem is easily reproduced on non virtual clients and a
server."

Are you using the Network Service or Local System account to run
the
ADAM instance or a fixed service account?

"We have tried both Network Service and Local Sytem with the same
results.
At times stopping the service and changing this would somehow seem to
set
it
working immediately, at other times that is not the case."

What DNS name are you using to access the ADAM instance?

"The server is the DNS server for the client, both are have fixed IP
addresses.

Our software, a local system service (or test executable), either
wants to
open or create and open a computer object in ADAM. We will take the
current
computer's DN like CN=SARAH-VM-XP,CN=Computers,DC=sarahsvm,DC=local,
look
up
the objectSid in Active Directory, convert it to a string using a
function
we
found in MSDN to convert without using the ConvertSidToStringSid
function
and
then finaly attempt to open the object using a string like
LDAP://widgee.sarahsvm.local:50000/CN=S-1-5-21-1347885190-717324418-811821162-1134,CN=Computers,CN=PDPartition.

If the object exists in ADAM the AdsOpenObject may succeed or on
other
occasions may fail with 'an operations error'. To create the object
we
open
our ADAM computers container, call create on the container with the
computer's SID string as the name, ie:
{"CN=S-1-5-21-1347885190-717324418-811821162-1134"}. The we query the
IID_IADs interface of the new object, modify some attributes then
commit
with
setInfo. In this instance opening the computer container may fail
with
'no
such object exists' even though it does.

My first post was about ldp.exe which we run because we are pretty
sure
our
application has 'the credential problem', we think, as exhibited by
ldp.exe.

We have now enlisted Microsoft Technical Support so we are hoping
they
will
be able to reproduce and understand our issues but if you think of
anything
that may help us figure out what is going on that would be greatly
appreciated too.

Regards Sarah.


"Joe Kaplan" wrote:

This sounds like a Kerberos problem of some sort, although the fact
that
it
is intermittent is a little weird. I actually kind of wonder if
those
Kerberos errors are actually related for some reason.

Is it possible there is anything strange about the ADAM server from
a
Kerb
perspective? Is there a load balancer in front of the ADAM
instances?
Are
there any funny DNS aliases? Are you using the Network Service or
Local
System account to run the ADAM instance or a fixed service account?
What
DNS name are you using to access the ADAM instance?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Sarah" <Sarah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA781848-39AC-4B0A-BB7F-77817EDF2F83@xxxxxxxxxxxxxxxx
The server is 2003 SP2 with ADAM SP1. The client is XP SP2. Both
are
fully
updated.

We run ldp.exe using the AT command. ie: AT 1:37pm /interactive
c:\ldp.exe
We connect to our ADAM instance and bind as the currently logged
on
user.

For a period of time (hours or minutes, usually hours) it will
authenticate
using the machine account ie: Authenticated as:
'SARAHSVM\SARAH-VM-XP$'.
and then for some reason it will start authenticating as
anonymous:
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' for an number of
hours
or
minutes. It doesnt matter if you disconnect and reconnect or run a
new
ldp.exe.

We cant understand why this switches although sometimes stopping
and
starting the instance service on the server will make it switch or
rebooting
the client or server will too.. or it might be coincidental.

On the server, you can see that the machine credentials are
authenticated
by
Kerberos and that the anonymous logons are authenticated by NTLM,
I
dont
know
if NTLM authenticates the credentials because they are anonymous
or it
is
an
anonymous logon because NTLM authenticated it.

We have kerberos logging on and there are no extraordinary error
events
in
the system event log (there are some KDC_ERR_S_PRINCIPAL_UNKNOWN
and
KDC_ERR_BADOPTION errors but they dont seem related). The only
difference
between both types of logons in the ldp output window are times
and
'Authenticated as'.

The reason why we are investigating this is because we have a
client
application that runs a service that needs to bind to Adam objects
in
our
partition. This also works for a period of time then wont for a
period
of
time, then it will. The error, when it occurs is 0x80072020 (An
operations
error occurred). It exhibits the same behaviour as ldp when
attempting
to
use
the machine's credentials.

Its not reasonable for our application to bind using user
credentials
and
we
give computer objects in ADAM the right to access themselves.

If anyone could shed some light on this situation that would be
greatly
appreciated.

Sorry if this appears twice but I think I fluffed the first
attemp.













.

Relevant Pages

  • Re: Creating a Computer Object in ADAM
    ... I've never replicated an ADAM ... Win 2003 server down to my instance, but fails from my XP instance ... 'The attempt to establish a replication link for the following writable ... Source directory service address: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating a Computer Object in ADAM
    ... I'm going to guess and say that the ADAM service account doesn't have the ... the name changed server and its partners to see status. ... Starting test: CrossRefValidation ... Running partition tests on: Schema ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... co-worker has dubbed ADAM as 'Another Day Another Migraine':). ... Unfortunately I dont think I had the server running without ADAM long enough ... System account to run the ADAM instance or a fixed service account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: a referral was returned from server error on adam
    ... ADSIEDIT falls through to using LDAP, in order to see the objects in an ADAM instance you need LDAP port access to the server, depending on what you specified during the instance installation that port could be 389 or something else. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... The directory server has failed to create the ADAM serviceConnectionPoint ... Unfortunately after about an hour he was backing to authenticating as ... in DNS is widgee.sarahsvm.local an A record? ... Kerberos errors logged on server start but from what I read on the net its ...
    (microsoft.public.windows.server.active_directory)
Loading