Results 1 to 9 of 9

Thread: LDAP auth fails

  1. #1
    lavarus@bigstring.com Guest

    LDAP auth fails

    I have an issue with secure LDAP authentication on a Windows 2003
    server running in 2000 mode. Anonymous LDAP test is successful, but
    not the secure LDAP test. There are two domain controllers.

    Here is the results of netdiag: (domain name changed for security)


    Global results:


    Domain membership test . . . . . . : Passed
    Machine is a . . . . . . . . . : Member Workstation
    Netbios Domain name. . . . . . : AAAA
    Dns domain name. . . . . . . . : AAAA.local
    Dns forest name. . . . . . . . : AAAA.local
    Domain Guid. . . . . . . . . . : {F33CAB50-4A36-463B-
    A28C-1F2B6D556FE6}
    Domain Sid . . . . . . . . . . :
    S-1-5-21-1706305302-796677691-2764107765
    Logon User . . . . . . . . . . : joe.smith
    Logon Domain . . . . . . . . . : AAAA
    Logon Server . . . . . . . . . : \\AAAADC2


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{2336B8EA-F405-4BE0-944A-BC42F9B0366F}
    1 NetBt transport currently configured.


    LDAP test. . . . . . . . . . . . . : Failed

    Find DC in domain 'AAAA':
    Found this DC in domain 'AAAA':
    DC. . . . . . . . . . . : \\aaaadc2.AAAA.local
    Address . . . . . . . . : \\192.168.1.192
    Domain Guid . . . . . . : {F33CAB50-4A36-463B-
    A28C-1F2B6D556FE6}
    Domain Name . . . . . . : AAAA.local
    Forest Name . . . . . . : AAAA.local
    DC Site Name. . . . . . : Default-First-Site-Name
    Our Site Name . . . . . : Default-First-Site-Name
    Flags . . . . . . . . . : GC DS KDC TIMESERV WRITABLE DNS_DC
    DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8

    Do un-authenticated LDAP call to 'aaaadc2.AAAA.local'.
    Found 1 entries:
    Attr: currentTime
    Val: 17 20070308193933.0Z
    Attr: subschemaSubentry
    Val: 56
    CN=Aggregate,CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Attr: dsServiceName
    Val: 108 CN=NTDS Settings,CN=AAAADC2,CN=Servers,CN=Default-
    First-Site-Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
    Attr: namingContexts
    Val: 16 DC=AAAA,DC=local
    Val: 33 CN=Configuration,DC=AAAA,DC=local
    Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Val: 34 DC=ForestDnsZones,DC=AAAA,DC=local
    Val: 34 DC=DomainDnsZones,DC=AAAA,DC=local
    Attr: defaultNamingContext
    Val: 16 DC=AAAA,DC=local
    Attr: schemaNamingContext
    Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Attr: configurationNamingContext
    Val: 33 CN=Configuration,DC=AAAA,DC=local
    Attr: rootDomainNamingContext
    Val: 16 DC=AAAA,DC=local
    Attr: supportedControl
    Val: 22 1.2.840.113556.1.4.319
    Val: 22 1.2.840.113556.1.4.801
    Val: 22 1.2.840.113556.1.4.473
    Val: 22 1.2.840.113556.1.4.528
    Val: 22 1.2.840.113556.1.4.417
    Val: 22 1.2.840.113556.1.4.619
    Val: 22 1.2.840.113556.1.4.841
    Val: 22 1.2.840.113556.1.4.529
    Val: 22 1.2.840.113556.1.4.805
    Val: 22 1.2.840.113556.1.4.521
    Val: 22 1.2.840.113556.1.4.970
    Val: 23 1.2.840.113556.1.4.1338
    Val: 22 1.2.840.113556.1.4.474
    Val: 23 1.2.840.113556.1.4.1339
    Val: 23 1.2.840.113556.1.4.1340
    Val: 23 1.2.840.113556.1.4.1413
    Val: 23 2.16.840.1.113730.3.4.9
    Val: 24 2.16.840.1.113730.3.4.10
    Val: 23 1.2.840.113556.1.4.1504
    Val: 23 1.2.840.113556.1.4.1852
    Val: 22 1.2.840.113556.1.4.802
    Val: 23 1.2.840.113556.1.4.1907
    Attr: supportedLDAPVersion
    Val: 1 3
    Val: 1 2
    Attr: supportedLDAPPolicies
    Val: 14 MaxPoolThreads
    Val: 15 MaxDatagramRecv
    Val: 16 MaxReceiveBuffer
    Val: 15 InitRecvTimeout
    Val: 14 MaxConnections
    Val: 15 MaxConnIdleTime
    Val: 11 MaxPageSize
    Val: 16 MaxQueryDuration
    Val: 16 MaxTempTableSize
    Val: 16 MaxResultSetSize
    Val: 22 MaxNotificationPerConn
    Val: 11 MaxValRange
    Attr: highestCommittedUSN
    Val: 7 1421098
    Attr: supportedSASLMechanisms
    Val: 6 GSSAPI
    Val: 10 GSS-SPNEGO
    Val: 8 EXTERNAL
    Val: 10 DIGEST-MD5
    Attr: dnsHostName
    Val: 18 aaaadc2.AAAA.local
    Attr: ldapServiceName
    Val: 30 AAAA.local:aaaadc2$@AAAA.LOCAL
    Attr: serverName
    Val: 91 CN=AAAADC2,CN=Servers,CN=Default-First-Site-
    Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
    Attr: supportedCapabilities
    Val: 22 1.2.840.113556.1.4.800
    Val: 23 1.2.840.113556.1.4.1670
    Val: 23 1.2.840.113556.1.4.1791
    Attr: isSynchronized
    Val: 4 TRUE
    Attr: isGlobalCatalogReady
    Val: 4 TRUE
    Attr: domainFunctionality
    Val: 1 0
    Attr: forestFunctionality
    Val: 1 0
    Attr: domainControllerFunctionality
    Val: 1 2

    Do NTLM authenticated LDAP call to 'aaaadc2.AAAA.local'.
    [FATAL] Cannot do NTLM authenticated ldap_bind to
    'aaaadc2.AAAA.local': Invalid Credentials.

    Do Negotiate authenticated LDAP call to 'aaaadc2.AAAA.local'.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to
    'aaaadc2.AAAA.local': Invalid Credentials.

    Registered Service Principal Names:
    MSSQLSvc/440-05.AAAA.local:1913
    HOST/440-05
    HOST/440-05.AAAA.local

    Do un-authenticated LDAP call to 'aaaadc1.AAAA.local'.
    Found 1 entries:
    Attr: currentTime
    Val: 17 20070308193933.0Z
    Attr: subschemaSubentry
    Val: 56
    CN=Aggregate,CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Attr: dsServiceName
    Val: 108 CN=NTDS Settings,CN=AAAADC1,CN=Servers,CN=Default-
    First-Site-Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
    Attr: namingContexts
    Val: 16 DC=AAAA,DC=local
    Val: 33 CN=Configuration,DC=AAAA,DC=local
    Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Val: 34 DC=ForestDnsZones,DC=AAAA,DC=local
    Val: 34 DC=DomainDnsZones,DC=AAAA,DC=local
    Attr: defaultNamingContext
    Val: 16 DC=AAAA,DC=local
    Attr: schemaNamingContext
    Val: 43 CN=Schema,CN=Configuration,DC=AAAA,DC=local
    Attr: configurationNamingContext
    Val: 33 CN=Configuration,DC=AAAA,DC=local
    Attr: rootDomainNamingContext
    Val: 16 DC=AAAA,DC=local
    Attr: supportedControl
    Val: 22 1.2.840.113556.1.4.319
    Val: 22 1.2.840.113556.1.4.801
    Val: 22 1.2.840.113556.1.4.473
    Val: 22 1.2.840.113556.1.4.528
    Val: 22 1.2.840.113556.1.4.417
    Val: 22 1.2.840.113556.1.4.619
    Val: 22 1.2.840.113556.1.4.841
    Val: 22 1.2.840.113556.1.4.529
    Val: 22 1.2.840.113556.1.4.805
    Val: 22 1.2.840.113556.1.4.521
    Val: 22 1.2.840.113556.1.4.970
    Val: 23 1.2.840.113556.1.4.1338
    Val: 22 1.2.840.113556.1.4.474
    Val: 23 1.2.840.113556.1.4.1339
    Val: 23 1.2.840.113556.1.4.1340
    Val: 23 1.2.840.113556.1.4.1413
    Val: 23 2.16.840.1.113730.3.4.9
    Val: 24 2.16.840.1.113730.3.4.10
    Val: 23 1.2.840.113556.1.4.1504
    Val: 23 1.2.840.113556.1.4.1852
    Val: 22 1.2.840.113556.1.4.802
    Val: 23 1.2.840.113556.1.4.1907
    Attr: supportedLDAPVersion
    Val: 1 3
    Val: 1 2
    Attr: supportedLDAPPolicies
    Val: 14 MaxPoolThreads
    Val: 15 MaxDatagramRecv
    Val: 16 MaxReceiveBuffer
    Val: 15 InitRecvTimeout
    Val: 14 MaxConnections
    Val: 15 MaxConnIdleTime
    Val: 11 MaxPageSize
    Val: 16 MaxQueryDuration
    Val: 16 MaxTempTableSize
    Val: 16 MaxResultSetSize
    Val: 22 MaxNotificationPerConn
    Val: 11 MaxValRange
    Attr: highestCommittedUSN
    Val: 7 1677486
    Attr: supportedSASLMechanisms
    Val: 6 GSSAPI
    Val: 10 GSS-SPNEGO
    Val: 8 EXTERNAL
    Val: 10 DIGEST-MD5
    Attr: dnsHostName
    Val: 18 aaaadc1.AAAA.local
    Attr: ldapServiceName
    Val: 30 AAAA.local:aaaadc1$@AAAA.LOCAL
    Attr: serverName
    Val: 91 CN=AAAADC1,CN=Servers,CN=Default-First-Site-
    Name,CN=Sites,CN=Configuration,DC=AAAA,DC=local
    Attr: supportedCapabilities
    Val: 22 1.2.840.113556.1.4.800
    Val: 23 1.2.840.113556.1.4.1670
    Val: 23 1.2.840.113556.1.4.1791
    Attr: isSynchronized
    Val: 4 TRUE
    Attr: isGlobalCatalogReady
    Val: 5 FALSE
    Attr: domainFunctionality
    Val: 1 0
    Attr: forestFunctionality
    Val: 1 0
    Attr: domainControllerFunctionality
    Val: 1 2

    Do NTLM authenticated LDAP call to 'aaaadc1.AAAA.local'.
    [FATAL] Cannot do NTLM authenticated ldap_bind to
    'aaaadc1.AAAA.local': Invalid Credentials.

    Do Negotiate authenticated LDAP call to 'aaaadc1.AAAA.local'.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to
    'aaaadc1.AAAA.local': Invalid Credentials.

    Registered Service Principal Names:
    MSSQLSvc/440-05.AAAA.local:1913
    HOST/440-05
    HOST/440-05.AAAA.local
    [FATAL] No LDAP servers work in the domain 'AAAA'.


    The command completed successfully


    Everyone can log in just fine, no issues with any shares or rights.
    However, when I install services that require a network account, the
    services will not accept the correct username and password. It locks
    the service account, and my administrator account. Specifically the
    application is Symantec Continuous Backup Protection server. I have
    spent many hours on the phone with them and they said they have never
    seen this before.

    Anyone have any idea's how to fix this? I thought about using netdom
    to reset the DC account, but I don't know if that will fix it.


  2. #2
    Paul Williams [MVP] Guest

    Re: LDAP auth fails

    Assuming you're actually using the correct user name and password, then the
    only thing that springs to mind is that you're using a different GINA to
    hash your password, therefore the hash doesn't match when the DC performs
    its lookup. This can happen if you're using NTSE or the newer Protect Tools
    if it's not deployed everywhere, or you're not providing the obfuscated
    password.

    Does the NETDIAG test run successfully as a different user?

    Does this happen on any other machines? It might not be the DC, it could be
    the workstation. It won't harm if you reset the secure channel on the
    workstation, but I can't see what difference that will do (but now that I've
    said that it'll probably do something).

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net



  3. #3
    lavarus@bigstring.com Guest

    Re: LDAP auth fails

    Hi Paul,

    Thanks for the reply. We are not using NTSE or Protect Tools.

    Testing it with different user accounts and different computers yields
    the same result.

    I wasn't going to change the workstation secure channel, I was going
    to change the DC's secure channel but I'm a bit nervous doing that.


    On Mar 9, 3:09 am, "Paul Williams [MVP]" <ptw2...@hotmail.com> wrote:
    > Assuming you're actually using the correct user name and password, then the
    > only thing that springs to mind is that you're using a different GINA to
    > hash your password, therefore the hash doesn't match when the DC performs
    > its lookup. This can happen if you're using NTSE or the newer Protect Tools
    > if it's not deployed everywhere, or you're not providing the obfuscated
    > password.
    >
    > Does the NETDIAG test run successfully as a different user?
    >
    > Does this happen on any other machines? It might not be the DC, it could be
    > the workstation. It won't harm if you reset the secure channel on the
    > workstation, but I can't see what difference that will do (but now that I've
    > said that it'll probably do something).
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Serviceshttp://www.msresource.net | http://forums.msresource.net




  4. #4
    Paul Williams [MVP] Guest

    Re: LDAP auth fails

    There's not really too much to worry about when changing the DCs secure
    channel, but I'd try the workstation first, and then then the DC.

    By the way, what happens when you target a different DC?

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net





  5. #5
    lavarus@bigstring.com Guest

    Re: LDAP auth fails

    I'm not sure if it's possible to target a DC with netdiag, is it?

    I haven't changed anything yet, but I noticed another weird issue.

    If I run nltest /sc_query:aaaa.local
    on the domain controller (aaaadc1) it says
    I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    however if I run it on the BDC, it says this:
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \\aaaadc1.AAAA.local
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    or from any workstation it says this:
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \\aaaadc2.AAAA.local
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully


  6. #6
    lavarus@bigstring.com Guest

    Re: LDAP auth fails

    On Mar 9, 1:52 pm, "lava...@bigstring.com" <lava...@bigstring.com>
    wrote:
    > I'm not sure if it's possible to target a DC with netdiag, is it?
    >
    > I haven't changed anything yet, but I noticed another weird issue.
    >
    > If I run nltest /sc_query:aaaa.local
    > on the domain controller (aaaadc1) it says
    > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
    >
    > however if I run it on the BDC, it says this:
    > Flags: 30 HAS_IP HAS_TIMESERV
    > Trusted DC Name \\aaaadc1.AAAA.local
    > Trusted DC Connection Status Status = 0 0x0 NERR_Success
    > The command completed successfully
    >
    > or from any workstation it says this:
    > Flags: 30 HAS_IP HAS_TIMESERV
    > Trusted DC Name \\aaaadc2.AAAA.local
    > Trusted DC Connection Status Status = 0 0x0 NERR_Success
    > The command completed successfully


    I'm still at a loss. I need help.

    I've now reset the dc accounts with netdom, and it didn't help at all.

    netdiag still reports:

    Do NTLM authenticated LDAP call to 'aaaadc1.AAAA.local'.
    [FATAL] Cannot do NTLM authenticated ldap_bind to
    'aaaadc1.AAAA.local': Invalid Credentials.

    Do Negotiate authenticated LDAP call to 'aaaadc1.AAAA.local'.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to
    'aaaadc1.AAAA.local': Invalid Credentials.


  7. #7
    lavarus@bigstring.com Guest

    Re: LDAP auth fails

    I'm still working on this problem...

    Status:

    What works:
    All domain logins
    All NTFS permissions
    Un-authenticated LDAP
    Dcdiag (no errors)

    What doesn't:
    Authenticated LDAP
    Nltest /sc_query:domain (from the PDC) reports
    Failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
    Nltest /sc_query:domain (from any BDC) reports
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \\AAAADC3
    Trusted DC Connection Status Status = 0 0x0 NERR_Success

    Observations:

    Moving the FSMO role of PDC changes the nltest results. If dc1 is the
    PDC, nltest reports no_such_domain. If dc2 is the PDC, nltest on dc1
    is success, and nltest on dc2 says no_such_domain. DCDIAG shows no
    errors regardless.

    Changing any other FSMO role has no effect. So I know it has
    something to do with the PDC LDAP authentication.

    If anyone has any idea's, I'd like to hear them. I am an MCSE, but
    I'm baffled by this one.


  8. #8
    Paul Williams [MVP] Guest

    Re: LDAP auth fails

    The SC_QUERY failure on the PDCe is expected. I've observed this in several
    domains and accept it at the norm. Must be something to do with the fact
    that the secure channels are incoming to the PDCe, or something.

    Can you elaborate on LDAP authentication not working? Is it just the
    NETDIAG test result or are there other problems? Can you bind using LDP?

    Sorry for the delay. I've been out of the country, then ill, then on leave.
    Finally back in work with an couple of minutes to spare in these groups...

    --
    Paul Williams
    Microsoft MVP - Windows Server - Directory Services
    http://www.msresource.net | http://forums.msresource.net





  9. #9
    lavarus@gmail.com Guest

    Re: LDAP auth fails

    On May 11, 12:24 pm, "Paul Williams [MVP]" <ptw2...@hotmail.com>
    wrote:
    > The SC_QUERY failure on the PDCe is expected. I've observed this in several
    > domains and accept it at the norm. Must be something to do with the fact
    > that the secure channels are incoming to the PDCe, or something.
    >
    > Can you elaborate onLDAPauthentication not working? Is it just the
    > NETDIAG test result or are there other problems? Can you bind using LDP?
    >
    > Sorry for the delay. I've been out of the country, then ill, then on leave.
    > Finally back in work with an couple of minutes to spare in these groups...
    >
    > --
    > Paul Williams
    > Microsoft MVP - Windows Server - Directory Serviceshttp://www.msresource.net | http://forums.msresource.net


    Hmmm, I didn't know that was the norm. I've never seen it before.

    There are other problems. As you can see in a previous post, the PDC
    does not see it's own domain according to nltest.
    If I run nltest /sc_query:aaaa.local
    on the domain controller (aaaadc1) it says
    I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    There is bizarre behavior with service accounts.
    If I install Symantec's continuous backup protection server it will
    not accept a domain service account. The install will actually [lock]
    the service account and my own account (i.e. incorrect password 5
    times) even though my account should have nothing to do with the
    install. Months ago I spent days on the phone with Symantec, and they
    claim there is something wrong with AD.

    I recently installed a phpbb3 using LDAP authentication, and it works
    great. So I'm confused what exactly is wrong.

    I frequently see references to DNS problems when I do a google search
    on this. I don't think thats my problem, but I double checked my
    settings. The DNS setting on the PDC was set to its own IP, I just
    changed it to 127.0.0.1 instead. That didn't make a difference, but
    it was worth a shot.






Similar Threads

  1. LDAP query to speficied LDAP server on TCP port 389 failed
    By Shash in forum Windows Server Help
    Replies: 2
    Last Post: 02-05-2012, 05:01 PM
  2. Problem in binding the user in LDAP using Spring LDAP
    By deepti.agrawal in forum Software Development
    Replies: 1
    Last Post: 25-04-2011, 03:26 AM
  3. Replies: 1
    Last Post: 24-03-2010, 10:12 PM
  4. Windows 2008 LDAP and auth-conf
    By Drewski in forum Active Directory
    Replies: 1
    Last Post: 24-02-2009, 10:42 PM
  5. 503 AUTH command used when not advertised
    By Penzoil in forum Networking & Security
    Replies: 4
    Last Post: 14-02-2009, 10:04 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,726,946.13631 seconds with 17 queries