Ok, so after doing some network traces from the CF App Server, I have derived the following: The CF developers hard coded a specific domain controller into their code, the CF page submit the username and password to that DC and when the DC replies it answers with a referral to ldap://domaindnszones.mydomain.com, here was my first problem, the domaindnszones.mydomain.com was resolving to a DC that was just built in our office and shipped to a remote site, so it is not currently on the network. So I tried manually changing the domaindnszones.mydomain.com entries in DNS to another Global Catalog Server that is on the network and now in my network traces I get the following error from the GC server “LdapErr: DSID-0C0905FF, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece”
I googled that error and didn’t come up with much. Was it a good idea to change the domaindnszones entry or should I have left this alone and waited for the DC to come back online in the remote site?
-Tim
From: Wright, T. MR
NSSB
Sent: Thursday, July 08, 2004 2:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly
OT: Application Authentication Issues with Win2003
This was along the lines of what I was
thinking, but then when I look at the default domain controllers policy it
seems to have kept all of the settings from the Win2k domain controllers
policy. I think the new 2003 DC policy would have taken effect only if I
had built a pristine 2003 domain, which I didn’t do. More
specifically I was looking at the “Digitally Sign Server Communications
Always” setting which is disabled so that shouldn’t cause a
problem, and I was looking at “Access this computer from the
Network” which I seem to remember containing the Everyone group, but now
seems to have domain\authenticated users in place of everyone.
Since my first note I have identified the
issue with the SNAP servers, it seems that the version of SNAP OS that we are
running on our devices supported Win2k AD domains but does not support Win 2003
AD Domains. For the low low price of $699, SNAP will sell us the proper
OS to work with 2003 (must be at least Version 4).
-Tim
From: Adams, Kenneth W
(Ken) [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 08, 2004 1:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly
OT: Application Authentication Issues with Win2003
It sounds like you need to change the
policy to send unencrypted passwords to down-level / SMB devices.
Kenneth
W. (Ken) Adams, MCSA, MCSE
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Wright, T. MR NSSB
Sent: Thursday, July 08, 2004 1:35 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Possibly OT:
Application Authentication Issues with Win2003
All,
We are in the process of upgrading our AD domain from Win2k SP4 to Win
2003. We have a single forest with 2 domains with an empty mgmt root
domain. We have been swapping out the Win2k DC’s with freshly built
Win2k3 DC’s one at a time. We completed the empty root domain
without any problems, then we went to work on the child domain (which is where
all of the accounts exist) Yesterday we dcpromo’d a new Win2003 DC
into the child domain and transferred the PDCE & RIDMaster Roles off of our
old Win2k DC that was holding roles and onto this Win2003 machine. We
then DCpromo’d the old Win2k machine to take it out of domain.
Here’s where things got a little crazy, since we made that switch the
following things have all stopped working:
Our Cisco VPN Concentrator has stopped being able to
authenticate users, when I look in the logs on the server when someone tries to
authenticate it appears as a bad username/password combo, even though the
proper credentials are being supplied.
Our developers were testing AD authentication for all of our
Cold Fusion Apps in their labs for the past few months since the upgrade their
CFLDAP lookups have stopped working. Looking at the event logs shows
successful authentication from the CF Web Server when I log in, it seems that
it’s never getting back to the webserver.
Last, we have a few departments that are running Snap
Servers for local file storage, these devices have also stopped being able to
authenticate users. The machines are up and on the network, when I try to
connect to the shares I get access denied errors.
All of these things were working when the 2k box was there,
and have only stopped working since the upgrade to 2003. I have quite a
few ideas as to what could be the problem, but I wanted to see if anyone else
had experienced any issues like these.
TIA,
-Tim