| Author | Messages | |
Tony
Posts:150
 | | 03/30/2009 10:35 PM |
| Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| bdesmond
Posts:977
| | 03/30/2009 10:37 PM |
| Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| dgavrilov
Posts:59
| | 03/30/2009 10:43 PM |
| LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| dgavrilov
Posts:59
| | 03/30/2009 10:51 PM |
| Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD, which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| Tony
Posts:150
| | 03/30/2009 10:55 PM |
| Hi Brian
I haven't got a cert on the remote end.
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 3:30 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| bdesmond
Posts:977
| | 03/30/2009 11:10 PM |
| Sorry thought I saw TLS somewhere for some reason
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Hi Brian
I haven't got a cert on the remote end.
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 3:30 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| Tony
Posts:150
| | 03/30/2009 11:20 PM |
| Thanks Dmitri. That was it - I can now bind remotely. Because the service
account was not a member of Domain Admins, I had to run the *.bat file in
the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were
missing. I do however get the rather cryptic error shown below. It doesn't
seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has
occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side.
You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| bdesmond
Posts:977
| | 03/30/2009 11:22 PM |
| # for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Dmitri. That was it - I can now bind remotely. Because the service account was not a member of Domain Admins, I had to run the *.bat file in the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were missing. I do however get the rather cryptic error shown below. It doesn't seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD, which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| joe
Posts:106
| | 03/30/2009 11:26 PM |
| Yes, this sounds like exactly it to me. The SPN for LDAP/server and
LDAP/server.domain.com is probably on the computer account in AD, not the
service account, so Kerb auth fails. You'll likely see the
KERB_ERR_AP_MODIFIED error in the system event log on the ADAM.
Move the SPN to the service account and it should resolve the problem.
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov" <dmitrig@exchange.microsoft.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, March 30, 2009 9:46 PM
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side.
You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:822
| | 03/31/2009 3:44 AM |
| I think I would recommend running the ADAM instance as Network Service
instead. Not sure why he would want to run it as a domain account unless he
wants the service to be impacted anytime someone futzes with that account.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Monday, March 30, 2009 11:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD LDS bind issue
Yes, this sounds like exactly it to me. The SPN for LDAP/server and
LDAP/server.domain.com is probably on the computer account in AD, not the
service account, so Kerb auth fails. You'll likely see the
KERB_ERR_AP_MODIFIED error in the system event log on the ADAM.
Move the SPN to the service account and it should resolve the problem.
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov" <dmitrig@exchange.microsoft.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, March 30, 2009 9:46 PM
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side.
You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| Tony
Posts:150
| | 03/31/2009 10:11 PM |
| Thanks Brian (and Dmitri and Joe K)
I don't get the 1168 error event if the service account I am using is a
member of the local Administrators group on the AD LDS server. From what I
can find on-line <http://technet.microsoft.com/ja-jp/library/cc794945.aspx>
, the service account doesn't have to be a local administrator, but you do
need to give it some permissions:
The account that is used as the AD LDS service account must be able to
create, read, and modify files in the directory %ProgramFiles%\Microsoft
ADAM\instancename\data.
In addition to the on-line article recommendation, the service account I am
using has been given the following rights:
. Log on as a service
. Generate Security Audits
I have also added the service account to the Backup Operators local group as
this prevents VSS errors from being generated in the Application Event Log.
I really don't want to have to give the account local Administrators
membership if I can help it (least privilege and all that). Have I missed
something obvious?
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 4:17 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
# for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Dmitri. That was it - I can now bind remotely. Because the service
account was not a member of Domain Admins, I had to run the *.bat file in
the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were
missing. I do however get the rather cryptic error shown below. It doesn't
seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has
occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side.
You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| dgavrilov
Posts:59
| | 03/31/2009 10:47 PM |
| The service account needs to be able to update SPNs on its own object in AD. Computers can do this by default, but users cannot.
It does not need to be a BA on the local box.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, March 31, 2009 7:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Brian (and Dmitri and Joe K)
I don't get the 1168 error event if the service account I am using is a member of the local Administrators group on the AD LDS server. From what I can find on-line<http://technet.microsoft.com/ja-jp/library/cc794945.aspx>, the service account doesn't have to be a local administrator, but you do need to give it some permissions:
The account that is used as the AD LDS service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.
In addition to the on-line article recommendation, the service account I am using has been given the following rights:
* Log on as a service
* Generate Security Audits
I have also added the service account to the Backup Operators local group as this prevents VSS errors from being generated in the Application Event Log.
I really don't want to have to give the account local Administrators membership if I can help it (least privilege and all that). Have I missed something obvious?
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 4:17 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
# for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Dmitri. That was it - I can now bind remotely. Because the service account was not a member of Domain Admins, I had to run the *.bat file in the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were missing. I do however get the rather cryptic error shown below. It doesn't seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD, which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| Tony
Posts:150
| | 03/31/2009 11:18 PM |
| Hi Dmitri
I have assigned SELF the ability to write servicePrincipalName on the
service account's user object in AD. If I delete the SPNs and restart the
service the SPNs are re-published automatically. Saves having to run the
.bat file containing the setspn commands, which is a good thing. Thanks J
Still getting the 1168 errors, which is unrelated to the SPN issue given
that toggling BA/non-BA makes a difference. I can reproduce the issue in
two completely separate labs, so it doesn't appear to be an environmental
thing. I must be missing a permission or privilege somewhere. I'll keep
digging. In the meantime, if you have any further suggestions I'd love to
hear them. J
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Wednesday, 1 April 2009 3:41 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
The service account needs to be able to update SPNs on its own object in AD.
Computers can do this by default, but users cannot.
It does not need to be a BA on the local box.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, March 31, 2009 7:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Brian (and Dmitri and Joe K)
I don't get the 1168 error event if the service account I am using is a
member of the local Administrators group on the AD LDS server. From what I
can find on-line <http://technet.microsoft.com/ja-jp/library/cc794945.aspx>
, the service account doesn't have to be a local administrator, but you do
need to give it some permissions:
The account that is used as the AD LDS service account must be able to
create, read, and modify files in the directory %ProgramFiles%\Microsoft
ADAM\instancename\data.
In addition to the on-line article recommendation, the service account I am
using has been given the following rights:
. Log on as a service
. Generate Security Audits
I have also added the service account to the Backup Operators local group as
this prevents VSS errors from being generated in the Application Event Log.
I really don't want to have to give the account local Administrators
membership if I can help it (least privilege and all that). Have I missed
something obvious?
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 4:17 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
# for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Dmitri. That was it - I can now bind remotely. Because the service
account was not a member of Domain Admins, I had to run the *.bat file in
the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were
missing. I do however get the rather cryptic error shown below. It doesn't
seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has
occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side.
You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind
type.
I can also bind to a different instance on SERVERA with no issues. The only
difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| dgavrilov
Posts:59
| | 03/31/2009 11:36 PM |
| Aha. This is what is failing on service startup:
// Register for LSA notifications on audit policy
NtStatus = LsaRegisterPolicyChangeNotification(PolicyNotifyAuditEventsInformation, hevDirAuditPolicyChanged);
if ( !NT_SUCCESS( NtStatus ) ) {
KdPrint(("DS: Failed to register for audit event notification: 0x%lx\n", NtStatus ));
LogUnhandledError(NtStatus);
I am not sure what privilege is required to call this, sorry. MSDN is not helpful. Perhaps SeAuditPrivilege?
In any case, this is non-fatal. ADAM won't react to changes in audit policy without service restart.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, March 31, 2009 8:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Hi Dmitri
I have assigned SELF the ability to write servicePrincipalName on the service account's user object in AD. If I delete the SPNs and restart the service the SPNs are re-published automatically. Saves having to run the .bat file containing the setspn commands, which is a good thing. Thanks
Still getting the 1168 errors, which is unrelated to the SPN issue given that toggling BA/non-BA makes a difference. I can reproduce the issue in two completely separate labs, so it doesn't appear to be an environmental thing. I must be missing a permission or privilege somewhere. I'll keep digging. In the meantime, if you have any further suggestions I'd love to hear them.
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Wednesday, 1 April 2009 3:41 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
The service account needs to be able to update SPNs on its own object in AD. Computers can do this by default, but users cannot.
It does not need to be a BA on the local box.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Tuesday, March 31, 2009 7:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Brian (and Dmitri and Joe K)
I don't get the 1168 error event if the service account I am using is a member of the local Administrators group on the AD LDS server. From what I can find on-line<http://technet.microsoft.com/ja-jp/library/cc794945.aspx>, the service account doesn't have to be a local administrator, but you do need to give it some permissions:
The account that is used as the AD LDS service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.
In addition to the on-line article recommendation, the service account I am using has been given the following rights:
* Log on as a service
* Generate Security Audits
I have also added the service account to the Backup Operators local group as this prevents VSS errors from being generated in the Application Event Log.
I really don't want to have to give the account local Administrators membership if I can help it (least privilege and all that). Have I missed something obvious?
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Tuesday, 31 March 2009 4:17 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
# for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Thanks Dmitri. That was it - I can now bind remotely. Because the service account was not a member of Domain Admins, I had to run the *.bat file in the data folder corresponding to the instance to register the SPNs.
Interestingly, I didn't get any errors in the log saying that the SPNs were missing. I do however get the rather cryptic error shown below. It doesn't seem to cause a problem, but still....
Log Name: ADAM (MITEST01)
Source: ADAM [MITEST01] General
Date: 31/03/2009 3:49:11 p.m.
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: SERVERA.MYCO.COM
Description:
Internal error: An Active Directory Lightweight Directory Services error has occurred.
Additional Data
Error value (decimal):
-1073741790
Error value (hex):
c0000022
Internal ID:
3000715
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [MITEST01] General" />
<EventID Qualifiers="49152">1168</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
<EventRecordID>188</EventRecordID>
<Channel>ADAM (MITEST01)</Channel>
<Computer>SERVERA.MYCO.COM</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>-1073741790</Data>
<Data>c0000022</Data>
<Data>3000715</Data>
</EventData>
</Event>
Tony
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Tuesday, 31 March 2009 3:46 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Ah, wait, the bind succeeds to another instance that runs as NetworkService?
That probably means that Instance1 is unable to register its SPNs in AD, which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
Sent: Monday, March 30, 2009 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
Rejoining the client machine to the domain may help too.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, March 30, 2009 7:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDS bind issue
Is the cert trusted/valid on the remote end?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
Sent: Monday, March 30, 2009 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD LDS bind issue
Hi all
I have an interesting bind issue that you might be able to help with.
SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <82>: ldap_bind_s() failed: Local Error.
Server error:
Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
Tony
| | | |
| lef
Posts:42
| | 04/02/2009 9:01 AM |
|
So SeAuditPrivilege is "Generate security audits" in the machine
security policy which Tony enabled earlier. I tried a repro and also
got the 1168 error. I turned on Audit privilege use and got a failure
for attempted use of SeSecurityPrivilege by the ADAM service account
against lsass on service start; however with the ADAM service account a BA
I got the same audit faulre but no 1168 so maybe the privilege use failure
I saw is a red herring. Adding SeSecurityPrivilege right ("Manage auditing
and security log") in policy for the service account did not change
anything.
I do not think this (innocuous) issue existed in ADAM SP1, the only 1168
errors I recall from ADAM SP1 were due to VSS regkey access and running
process monitor against AD LDS service start there is a similar issue
although the key has changed from
HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
to
HKLM\System\CurrentControlSet\Control\VSS
and membership of Backup Operators seems to be OK to fix that.
Lee Flight
On Wed, 1 Apr 2009, Dmitri Gavrilov wrote:
> Aha. This is what is failing on service startup:
>
> // Register for LSA notifications on audit policy
> NtStatus = LsaRegisterPolicyChangeNotification(PolicyNotifyAuditEventsInformation, hevDirAuditPolicyChanged);
> if ( !NT_SUCCESS( NtStatus ) ) {
>
> KdPrint(("DS: Failed to register for audit event notification: 0x%lx\n", NtStatus ));
> LogUnhandledError(NtStatus);
>
> I am not sure what privilege is required to call this, sorry. MSDN is not helpful. Perhaps SeAuditPrivilege?
> In any case, this is non-fatal. ADAM won't react to changes in audit policy without service restart.
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Tuesday, March 31, 2009 8:12 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Hi Dmitri
>
> I have assigned SELF the ability to write servicePrincipalName on the service account's user object in AD. If I delete the SPNs and restart the service the SPNs are re-published automatically. Saves having to run the .bat file containing the setspn commands, which is a good thing. Thanks
>
> Still getting the 1168 errors, which is unrelated to the SPN issue given that toggling BA/non-BA makes a difference. I can reproduce the issue in two completely separate labs, so it doesn't appear to be an environmental thing. I must be missing a permission or privilege somewhere. I'll keep digging. In the meantime, if you have any further suggestions I'd love to hear them.
>
> Tony
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Wednesday, 1 April 2009 3:41 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> The service account needs to be able to update SPNs on its own object in AD. Computers can do this by default, but users cannot.
> It does not need to be a BA on the local box.
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Tuesday, March 31, 2009 7:04 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Thanks Brian (and Dmitri and Joe K)
>
> I don't get the 1168 error event if the service account I am using is a member of the local Administrators group on the AD LDS server. From what I can find on-line<http://technet.microsoft.com/ja-jp/library/cc794945.aspx>, the service account doesn't have to be a local administrator, but you do need to give it some permissions:
>
> The account that is used as the AD LDS service account must be able to create, read, and modify files in the directory %ProgramFiles%\Microsoft ADAM\instancename\data.
>
> In addition to the on-line article recommendation, the service account I am using has been given the following rights:
>
>
> * Log on as a service
>
> * Generate Security Audits
>
> I have also added the service account to the Backup Operators local group as this prevents VSS errors from being generated in the Application Event Log.
>
> I really don't want to have to give the account local Administrators membership if I can help it (least privilege and all that). Have I missed something obvious?
>
> Tony
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Tuesday, 31 March 2009 4:17 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> # for hex 0xc0000022 / decimal -1073741790 :
> STATUS_ACCESS_DENIED ntstatus.h
> # {Access Denied}
> # A process has requested access to an object, but has not
> # been granted those access rights.
>
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Monday, March 30, 2009 10:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Thanks Dmitri. That was it - I can now bind remotely. Because the service account was not a member of Domain Admins, I had to run the *.bat file in the data folder corresponding to the instance to register the SPNs.
>
> Interestingly, I didn't get any errors in the log saying that the SPNs were missing. I do however get the rather cryptic error shown below. It doesn't seem to cause a problem, but still....
>
> Log Name: ADAM (MITEST01)
> Source: ADAM [MITEST01] General
> Date: 31/03/2009 3:49:11 p.m.
> Event ID: 1168
> Task Category: Internal Processing
> Level: Error
> Keywords: Classic
> User: ANONYMOUS LOGON
> Computer: SERVERA.MYCO.COM
> Description:
> Internal error: An Active Directory Lightweight Directory Services error has occurred.
>
> Additional Data
> Error value (decimal):
> -1073741790
> Error value (hex):
> c0000022
> Internal ID:
> 3000715
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="ADAM [MITEST01] General" />
> <EventID Qualifiers="49152">1168</EventID>
> <Level>2</Level>
> <Task>9</Task>
> <Keywords>0x80000000000000</Keywords>
> <TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
> <EventRecordID>188</EventRecordID>
> <Channel>ADAM (MITEST01)</Channel>
> <Computer>SERVERA.MYCO.COM</Computer>
> <Security UserID="S-1-5-7" />
> </System>
> <EventData>
> <Data>-1073741790</Data>
> <Data>c0000022</Data>
> <Data>3000715</Data>
> </EventData>
> </Event>
>
>
> Tony
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Tuesday, 31 March 2009 3:46 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Ah, wait, the bind succeeds to another instance that runs as NetworkService?
> That probably means that Instance1 is unable to register its SPNs in AD, which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Monday, March 30, 2009 7:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> LocalError is usually an indication of a Kerberos issue on the client side. You might get something in the system log, or by enabling kerb tracing.
> Rejoining the client machine to the domain may help too.
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Monday, March 30, 2009 7:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Is the cert trusted/valid on the remote end?
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Monday, March 30, 2009 9:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD LDS bind issue
>
> Hi all
>
> I have an interesting bind issue that you might be able to help with.
>
> SERVERA is running AD LDS with INSTANCE1. The instance is running under a domain-based service account. I am able to bind locally with LDP (using "Bind as currently logged on user"). When I try the same bind using the same logged on user from a remote server (running W2K8) I can connect and see RootDSE, but the bind fails with the error shown below.
>
> 0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
> {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
> Error <82>: ldap_bind_s() failed: Local Error.
> Server error:
>
> Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST bind type.
>
> I can also bind to a different instance on SERVERA with no issues. The only difference I can see is that the second instance runs under NETWORK SERVICE.
>
> Any thoughts on what this could be? It seems to be something intrinsic to INSTANCE1 rather than the server, but I can't figure it out.
>
> Tony
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| Tony
Posts:150
| | 04/02/2009 3:45 PM |
| Hi Lee
Thanks for following up on this. I basically went through the same process
with the auditing settings and local rights assignment(s) and got the same
result.
I agree that this is an innocuous issue, given that assigning BA on a server
is not typically a big drama. A fix and/or update to the on-line product
documentation would be nice to see in the R2 timeframe (if not before).
Tony
From: Lee Flight <lef@leicester.ac.uk>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: Friday, 3 April, 2009 1:55:59 AM
Subject: RE: [ActiveDir] AD LDS bind issue
So SeAuditPrivilege is "Generate security audits" in the machine
security policy which Tony enabled earlier. I tried a repro and also
got the 1168 error. I turned on Audit privilege use and got a failure
for attempted use of SeSecurityPrivilege by the ADAM service account
against lsass on service start; however with the ADAM service account a BA
I got the same audit faulre but no 1168 so maybe the privilege use failure
I saw is a red herring. Adding SeSecurityPrivilege right ("Manage auditing
and security log") in policy for the service account did not change
anything.
I do not think this (innocuous) issue existed in ADAM SP1, the only 1168
errors I recall from ADAM SP1 were due to VSS regkey access and running
process monitor against AD LDS service start there is a similar issue
although the key has changed from
HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
to
HKLM\System\CurrentControlSet\Control\VSS
and membership of Backup Operators seems to be OK to fix that.
Lee Flight
On Wed, 1 Apr 2009, Dmitri Gavrilov wrote:
> Aha. This is what is failing on service startup:
>
> // Register for LSA notifications on audit policy
> NtStatus =
LsaRegisterPolicyChangeNotification(PolicyNotifyAuditEventsInformation,
hevDirAuditPolicyChanged);
> if ( !NT_SUCCESS( NtStatus ) ) {
>
> KdPrint(("DS: Failed to register for audit event
notification: 0x%lx\n", NtStatus ));
> LogUnhandledError(NtStatus);
>
> I am not sure what privilege is required to call this, sorry. MSDN is not
helpful. Perhaps SeAuditPrivilege?
> In any case, this is non-fatal. ADAM won't react to changes in audit
policy without service restart.
>
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail..activedir.org] On Behalf Of Tony Murray
> Sent: Tuesday, March 31, 2009 8:12 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Hi Dmitri
>
> I have assigned SELF the ability to write servicePrincipalName on the
service account's user object in AD. If I delete the SPNs and restart the
service the SPNs are re-published automatically. Saves having to run the
.bat file containing the setspn commands, which is a good thing. Thanks
>
> Still getting the 1168 errors, which is unrelated to the SPN issue given
that toggling BA/non-BA makes a difference. I can reproduce the issue in
two completely separate labs, so it doesn't appear to be an environmental
thing. I must be missing a permission or privilege somewhere. I'll keep
digging. In the meantime, if you have any further suggestions I'd love to
hear them.
>
> Tony
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Wednesday, 1 April 2009 3:41 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> The service account needs to be able to update SPNs on its own object in
AD. Computers can do this by default, but users cannot.
> It does not need to be a BA on the local box.
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Tuesday, March 31, 2009 7:04 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Thanks Brian (and Dmitri and Joe K)
>
> I don't get the 1168 error event if the service account I am using is a
member of the local Administrators group on the AD LDS server. From what I
can find on-line<http://technet.microsoft.com/ja-jp/library/cc794945.aspx>,
the service account doesn't have to be a local administrator, but you do
need to give it some permissions:
>
> The account that is used as the AD LDS service account must be able to
create, read, and modify files in the directory %ProgramFiles%\Microsoft
ADAM\instancename\data.
>
> In addition to the on-line article recommendation, the service account I
am using has been given the following rights:
>
>
> * Log on as a service
>
> * Generate Security Audits
>
> I have also added the service account to the Backup Operators local group
as this prevents VSS errors from being generated in the Application Event
Log.
>
> I really don't want to have to give the account local Administrators
membership if I can help it (least privilege and all that). Have I missed
something obvious?
>
> Tony
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Tuesday, 31 March 2009 4:17 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> # for hex 0xc0000022 / decimal -1073741790 :
> STATUS_ACCESS_DENIED ntstatus.h
> # {Access Denied}
> # A process has requested access to an object, but has not
> # been granted those access rights.
>
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Monday, March 30, 2009 10:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Thanks Dmitri. That was it - I can now bind remotely. Because the
service account was not a member of Domain Admins, I had to run the *.bat
file in the data folder corresponding to the instance to register the SPNs.
>
> Interestingly, I didn't get any errors in the log saying that the SPNs
were missing. I do however get the rather cryptic error shown below. It
doesn't seem to cause a problem, but still....
>
> Log Name: ADAM (MITEST01)
> Source: ADAM [MITEST01] General
> Date: 31/03/2009 3:49:11 p.m.
> Event ID: 1168
> Task Category: Internal Processing
> Level: Error
> Keywords: Classic
> User: ANONYMOUS LOGON
> Computer: SERVERA.MYCO.COM
> Description:
> Internal error: An Active Directory Lightweight Directory Services error
has occurred.
>
> Additional Data
> Error value (decimal):
> -1073741790
> Error value (hex):
> c0000022
> Internal ID:
> 3000715
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="ADAM [MITEST01] General" />
> <EventID Qualifiers="49152">1168</EventID>
> <Level>2</Level>
> <Task>9</Task>
> <Keywords>0x80000000000000</Keywords>
> <TimeCreated SystemTime="2009-03-31T02:49:11.000Z" />
> <EventRecordID>188</EventRecordID>
> <Channel>ADAM (MITEST01)</Channel>
> <Computer>SERVERA.MYCO.COM</Computer>
> <Security UserID="S-1-5-7" />
> </System>
> <EventData>
> <Data>-1073741790</Data>
> <Data>c0000022</Data>
> <Data>3000715</Data>
> </EventData>
> </Event>
>
>
> Tony
>
>
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Tuesday, 31 March 2009 3:46 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Ah, wait, the bind succeeds to another instance that runs as
NetworkService?
> That probably means that Instance1 is unable to register its SPNs in AD,
which blocks kerb mutual auth. Does it complain about SPNs in its eventlog?
>
> From: ActiveDir-owner@mail..activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dmitri Gavrilov
> Sent: Monday, March 30, 2009 7:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> LocalError is usually an indication of a Kerberos issue on the client
side. You might get something in the system log, or by enabling kerb
tracing.
> Rejoining the client machine to the domain may help too.
>
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail..activedir.org] On Behalf Of Brian Desmond
> Sent: Monday, March 30, 2009 7:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD LDS bind issue
>
> Is the cert trusted/valid on the remote end?
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Murray
> Sent: Monday, March 30, 2009 9:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD LDS bind issue
>
> Hi all
>
> I have an interesting bind issue that you might be able to help with.
>
> SERVERA is running AD LDS with INSTANCE1. The instance is running under a
domain-based service account. I am able to bind locally with LDP (using
"Bind as currently logged on user"). When I try the same bind using the
same logged on user from a remote server (running W2K8) I can connect and
see RootDSE, but the bind fails with the error shown below.
>
> 0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
> {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
> Error <82>: ldap_bind_s() failed: Local Error.
> Server error:
>
> Bizarrely, I *can* get the bind to work remotely is if I use the DIGEST
bind type.
>
> I can also bind to a different instance on SERVERA with no issues. The
only difference I can see is that the second instance runs under NETWORK
SERVICE.
>
> Any thoughts on what this could be? It seems to be something intrinsic to
INSTANCE1 rather than the server, but I can't figure it out.
>
> Tony
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|