Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADAM Bind to alias pointing local server fails

139 views
Skip to first unread message

Craig Gilmour

unread,
Feb 20, 2006, 2:41:27 AM2/20/06
to
All,
I have a weird one that I would appreciate some help on. I have attempted
this on three separate Visrtual Server instances as well as two production
servers, so it is not a specific server problem.

Scenario:

The Domain is running Windows 2000
Windows2003 Member Server Server called: myserver.mydomain.com IP 192.168.0.5
DNS Alias called: adam.mydomain.com referencing myserver.mydomain.com

The Windows user I am logged on has full admin rights over the server,
domain admin rights over the domain and full rights over ADAM.

What I can do:
1.0 run LDP on any other host other than myserver and connect and bind to
the ADAM instance using Wndows Credentials (currently logged on user) using
the actual hostname, IP Address or DNS Alias.

2.0 Run ldp on myserver and connect / bind as the currently logged on user
using the actual host name, localhost, the IP Address.

What I can't do is:

3.0 Run ldp on myserver and connect / bind as the currently logged on user
using the DNS Alias (adam.mydomain.com). I get a bind failure - invalid
credentials

I have tried setting a host file entry instead, all to no avail. Does anyone
have any ideas?

Following is the output from LDP (I have only included the tail end of the
connection output)

1> highestCommittedUSN: 17316;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
1> dnsHostName: sqlserv.corp.riotinto.org;
1> serverName:
CN=MYSERVER$MYINSTANCE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={1F20A0DA-D571-448F-A298-3D8A0CE8901C};
3> supportedCapabilities: 1.2.840.113556.1.4.1851 = (
LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID ); 1.2.840.113556.1.4.1791 = (
LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID ); 1.2.840.113556.1.4.1880 = (
LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST );
1> isSynchronized: TRUE;
1> forestFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed

Lee Flight

unread,
Feb 20, 2006, 7:28:41 AM2/20/06
to
Hi

in negotiated authentication you will need to update the
servicePrincipalName
attribute of the computer account that hosts the ADAM instance to add access
for LDAP against the DNS alias in order for Kerberos access to work. You
can do this from the command line using setspn.exe.

setspn <netbiosname of ADAM machine>

to list the current SPNs you should see that a subset of these agree with
the ADAM SPNs specified in the ADAM Help file

ADAM Help
Administering ADAM
Administering ADAM service principal names

You can add an SPN for LDAP on a DNS alias name e.g.

setspn -A ldap/adam.mydomain.com:<adam port number> < netbiosname of ADAM
machine>

looking at the list of existing SPNs for the computer account should give
you
the idea.

Notes:

You will probably need to be a domain admin to update the SPNs.

You can also use repadmin /writespn as per the ADAM Help instead of setspn

Apart from LDAP\dnshostname:port, you will see SPNs for

E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM\netbiosname:port

that are used for replication, I do not believe that you will need to add to
that
as you should probably only be using the primary host name when setting up
replication (IMO).

Lee Flight


"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message
news:A6438DAF-CDE6-436E...@microsoft.com...

Craig Gilmour

unread,
Feb 20, 2006, 6:56:26 PM2/20/06
to
Lee,
thanks very much for this pointer. It fixed the problem. I plan to have an
ADAM replica that I will failover to if necessary. Should I simply add the
SPN to the other server's AD entry as well or will having the same entries
against two different servers cause a problem?

Also, what I a little confused about though is why I could connect to this
DNS alias from another machine without a problem. In fact at other
deployments I have never added the SPN's - I always accessed the ADAM
instance from another server. Does Windows do the DNS translation back to the
actual host name prior to presenting the query?

In case anyone else is interested, the following are the SPN's I wrote:

c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org" ldap/adam.mydomain.com
c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org"
ldap/adam.mydomain.com:389
c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org"
ldaps/adam.mydomain.com:636
c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org" ldap/adam
c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org" ldap/adam:389
c:\windows\adam\repadmin.exe /writespn mydc.mydomain.com ADD
"CN=ADAMSERVER,CN=Computers,DC=corp,DC=riotinto,DC=org" ldaps/adam:636

Lee Flight

unread,
Feb 21, 2006, 6:48:20 PM2/21/06
to
Hi

you do not want duplicate SPNs that will break the Kerberos auth. I do
not think you can set up failover for kerberos logons without some sort
of middle tier. You can use NLB for LDAP/LDAPS connections but
I am not sure that would work for kerberos SASL bind. Eric from
Microsoft is the expert in this area maybe he will spot this thread.

Connecting to the alias from another machine I cannot explain are you
sure that it was a kerberos auth and not NTLM? I do not think you
can avoid this by messing with DNS e.g. using a CNAME rather
than an additional A record, in short I would expect the SPN to be
required. If you confirm that is not the case I'd be interested to hear.

Thanks

Lee Flight

"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message

news:91DCA21E-EBE6-42DC...@microsoft.com...

Joe Kaplan (MVP - ADSI)

unread,
Feb 22, 2006, 12:04:14 AM2/22/06
to
Couldn't you have separate A records in DNS for the 2 ADAM instances and
then create a service account in AD to run both ADAM services, giving it
both sets of ADAM SPNs that match both DNS names for the A records? You
would do this instead of using Network Service. Obviously, you'd need to
get all the permissions right the service account as well.

I think this is the standard approach for hosting multiple versions of a
service.

I've not had luck with Kerberos and CNAME records though. Kerberos seems to
find the A record that matches the CNAME and use that to form the SPN.

Kerberos drives me crazy sometimes. :)

Joe K.

"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:%23w2KSF0...@TK2MSFTNGP10.phx.gbl...

Craig Gilmour

unread,
Feb 22, 2006, 1:37:27 AM2/22/06
to
Thanks to both Joe and Lee. I am wrestling with Kerberos and non-kerberos
access to ADAM so I need something a little bit generic for am implementaion.

I think Joes comment below describes the behaviour I am seeing when I
connect from a remote machine:


"I've not had luck with Kerberos and CNAME records though. Kerberos seems
to find the A record that matches the CNAME and use that to form the SPN"

In fact I am happy if this is the behaviour as it negates the need for
creating another SPN. However, it seems like if ADAM is on the same server it
does need the extra SPN for some reason????

I agree that some form of NLB is definitely the way to go, but in the short
term, using a DNS alias that can be switched will suffice (I don't want round
robin). What I have is MIIS (and other apps) connecting to an ADAM instance
in a primary data centre that is on a separate server. However, in the DR
data centre ADAM is co-located with MIIS. I wanted to use the DNS alias to
save having to re-configure MIIS (and other applications that access ADAM
that are NOT kerberos aware) in the case of either an ADAM failure, or a full
DR event. I talked about LDP as I could easily simulate the problem with it.
Hence, what I will do is as follows:

1.0 Create a DNS alias called adam.mydomain.com that points to my primary
ADAM instance
2.0 Create the second ADAM instance on the same server as the DR MIIS box
and replicate data to it.
3.0 Add SPN's to the DR ADAM instance as discussed elsewhere in this thread.

This way, when the MIIS server is accessing the production ADAM instance, it
will do the translation to the real host name and connect over Kerberos
correctly - it won't care about the SPN associated with adam.mydomain.com.
When MIIS and ADAM are in failover mode, all I have to do is adjust the DNS
CNAME and MIIS will access the adam.mydomain.com SPN setting associated with
the DR ADAM instance and all should be good.

I am in the middle of testing all this now.

Funny how strange behaviour can be worked around!! Let me know if you think
this will be problematic. I will let you know if it all works as expected.

regards,
Craig Gilmour

Lee Flight

unread,
Feb 22, 2006, 9:13:41 AM2/22/06
to
Thanks Joe, the domain account is what I was thinking of when I mentioned
middle tier but your observation makes me think I need to try testing what
you
outlined.

Lee Flight

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:edRcq12N...@TK2MSFTNGP11.phx.gbl...

Joe Kaplan (MVP - ADSI)

unread,
Feb 22, 2006, 11:59:55 AM2/22/06
to
I'm having trouble picturing it exactly, but what you are doing sounds
reasonable. Let us know if it doesn't work!

Joe K.

"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message

news:B1DBCD67-406D-4DBB...@microsoft.com...

pippo

unread,
Jun 6, 2007, 3:01:00 AM6/6/07
to
0 new messages