Can't extend one AD user object
19 views
Skip to first unread message
Max DiOrio
Mar 12, 2024, 6:47:37 AMMar 12
to RCDevs Security
So far, every user I have extended with the WebADM Account to activate them has worked.
I have one account that is giving an error. That account is in the same OU as the others that are working.
[Admin:HYKYUJNI] Could not modify LDAP object 'CN=Last\, First,OU=HQ,OU=Users,OU=Accounts,DC=internal,DC=domain,DC=com' (0000207D: UpdErr: DSID-03151BA4, problem 6002 (OBJ_CLASS_VIOLATION), data 592153)
There were a few minor differences between the two accounts regarding data in attributes, but I cleared the ones I thought would be an issue. The same mandatory attributes exist for a successful extension and the issue account.
Is there a way to debug this further to see which field it is having an issue with?
Yoann Traut (RCDevs)
Mar 12, 2024, 7:29:03 AMMar 12
to RCDevs Security
Hello,
What if you try to add the objectClass from AD Users and Computers console on that object?
Regards
Max DiOrio
Mar 13, 2024, 11:47:34 AMMar 13
to RCDevs Security
Hi Yoann,
Given this question took several weeks to be posted, I ended up figuring it out.
I had to compare the attributes between a working account and the non-working account and discovered the only difference was the following attribute set on the non-working one: msDS-keycredentiallink
It's odd because I've never set up key pairs that I remember that would utilize this attribute. After clearing the attribute, I was able to extend the account without issue.
Thanks.
Yoann Traut (RCDevs)
Mar 13, 2024, 11:56:53 AMMar 13
to RCDevs Security
Hello,
Thank you for your feedback.
To be honest I don't know why that attribut cause an objectClass violation when you try to activate the account... According to information I'm reading from MS documentation, it should not be a problem...
To be honest I don't know why that attribut cause an objectClass violation when you try to activate the account... According to information I'm reading from MS documentation, it should not be a problem...
"The msDS-KeyCredentialLink (aka. “kcl”) attribute can be used to link an RSA key pair with a computer or user object in order to authenticate with said key pair against the KDC to receive a Kerberos TGT. So the kcl is in fact a set of alternate credentials that works alongside username/password"
I have another customer with a similar issue on a specific account, I will check with him if that attribut is available on the account he is facing the problem.
Regards
Reply all
Reply to author
Forward
0 new messages