Re: [ActiveDir] RPC Netlogon to AD
>It uses either Kerberos or NTLM based on the best protocol that can be negotiated >(using >the Negotiate protocol). >I dont believe you can disable the netlogon. Also, your question doesnt make >sense to me >as the server IS using Kerberos (or NTLM) to authenticate the user to >AD.Oh, I don't know that Netlogon uses either kerberos or NTLM, ethereal can't parse it, maybe bec it's being sent encrypted. So, how does it work ? It tries kerberos first and only if it doesn't work then it will try NTLM ? >If you want to ensure you are using Kerberos, you can set the OWA server>to only allow Kerberos authentication. This can be set using a group>policy.Which policy ? Group Policy --> Computer Configuration --> Windows Settings -->Security Settings --> Local Policies --> Security Options --> ? Thanks lara Lara Adianto <[EMAIL PROTECTED]> wrote: Hi list, In the process of authenticating a user login to OWA, I noticed that the front end server use DC RPC RPC_Netlogon to authenticate the user to AD. However, as the stub data is encrypted, I couldn't really figure out how the authentication is actually done. Is it NTLM ? Kerberos ? or something else ? Is there any way to disable RPC_Netlogon authentication and configure Front End to use kerberos to authenticate the user to AD ? thankslara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?Yahoo! Mail Address AutoComplete - You start. We finish. La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now.
Re: [ActiveDir] exchange 2003 & dcpromo
Joe: Honestly you shouldn't install Exchange or any back offfice products on domain controllers. May I know what's the reason ? I'm curious. thank you, lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now.
[ActiveDir] RPC Netlogon to AD
Hi list, In the process of authenticating a user login to OWA, I noticed that the front end server use DC RPC RPC_Netlogon to authenticate the user to AD. However, as the stub data is encrypted, I couldn't really figure out how the authentication is actually done. Is it NTLM ? Kerberos ? or something else ? Is there any way to disable RPC_Netlogon authentication and configure Front End to use kerberos to authenticate the user to AD ? thankslara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.
[ActiveDir] the truth about kerberos auth for owa
Hi, Can anyone help me to confirm whether the following flow of kerberos authentication for OWA 2003 is correct ? I can only In the directory security tab, I only enabled integrated windows authentication for exchange web site. Let's say there are 3 parties involved:- AD (in windows 2000 server)- Exchange Server 2003- Windows XP as a testing client The three machines are in the same windows domain Since IE that user uses to access his/her mailbox and IIS in exchange server are all kerberized, when a user tries to open the owa website, first of all, he / she will need to authenticate him / herself to the exchange webserver using kerberos. This is done by getting a ticket for the webserver from KDC. On behalf of the user, the web server will then send TGS-REQ to windows kdc to get a ticket for ldap service. The ldap service ticket is used as GSSAPI in ldap-request from exchange to AD to get information about the user mail account. Briefly, this is what happens: 1. AS-REQ from user to tgs service to get a tgt 2. AS-REP from tgs service 3. TGS-REQ from user to get a ticket for service http service of the web server 4. TGS-REP from tgs service 5. TGS-REQ from web server for service ldap to access AD 6. TGS-REP from tgs service which contains a ticket for service ldap 7. ldap request to get user account info like the mailbox location etc. The ticket for service ldap is used as GSSAPI token for ldap authentication. It's really important for me to understand how the flow of kerberos actually works for owa 2003can anybody share his / her ideas ? thanks before, lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
[ActiveDir] Form based auth & kerberos
Hello, How does form-based authentication of OWA 2003 authenticate users actually ?Using basic authentication where username & password are sent in clear ?Will kerberos work with form-based authentication ? thank you,lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.
Re: [ActiveDir] owa logon
Internet Explorer is responsible for the pop-up box. Is the DLL(s) different when using forms based auth? Yes it is, since forms based auth uses the server-side information vs. the client processes. Does that help or answer your question? I'm a bit confused here. You mean that there's no dll that IE used to pop-up the dialog box ? Form-based authentication uses logon.asp to get user credential, and relies on owaauth.dll in the exchweb/bin/auth directory for the authentication. I wonder whether the non-form based auth also relies on owaauth.dll... -lara- Lara Adianto <[EMAIL PROTECTED]> wrote: Hi, does anybody know which dll is responsible to pop up the logon dialog box of owa 2003 (form based authentication is disabled) ?does the dll that process the auth is different when form based auth is enabled and when form based auth is disabled ? thank you La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?Yahoo! Mail is new and improved - Check it out! La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] owa logon
Hi, does anybody know which dll is responsible to pop up the logon dialog box of owa 2003 (form based authentication is disabled) ?does the dll that process the auth is different when form based auth is enabled and when form based auth is disabled ? thank you La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail is new and improved - Check it out!
[ActiveDir] unable to generate ssl cert
Hello, I have a problem of generating SSL cert for owa 2003 form based authentication.My environment is as follows:PC A --> acts as DC, domain=example.comPC B --> where ms exchange 2003 and cert authority is installed, configured to be the member of domain=example.com I have tested OWA without form-based auth and now would like to enable form based authentication. I followed the steps outlined in http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html, but I was unable to generate the SSL cert with the following error logged in event viewer:"Certificate Services denied request 4 because Access is denied. 0x80070005 (WIN32: 5). The request was for C=xx, S=xxx, L=xxx, O=xxx, OU=xx, CN=xxx.xx.x. Additional information: Denied by Policy Module I have googled and followed the instruction from this site: http://support.microsoft.com/default.aspx?scid=kb;en-us;281271 but the problem persists ! The only step I was unsure is from the instruction is:"Set permissions on the applicable certificate templates to allow users in the child domain to enroll. (NOTE: You must be logged onto the root domain with domain administrator rights.). I'm not sure which template's permission that I should modify and anyway, I'm unable to set any modification to the permission (I have permission to view only which is weird because I logged in as administrator !). This is strange ! I was able to generate cert and have form-based authentication working before. But a few days ago, I had to reinstall my AD & exchange server due to AD crash. After that, I was unable to generate ssl cert. I really have no idea why ssl cert generation which was working before now failed...Any idea guys how to trace the source of problem ? Thanks ! La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now.
Re: [ActiveDir] citrix installed in the same machine as exchange
Thank you for the fast reply Al :-)Mmm, this is actually for experiment purpose only. Not for a real system servicing users. It actually gave warning not only for exchange but all other programs that are already installed (including ethereal). That's why I'm wondering whether the message worth noted or can be ignored. One more question, is there any space requirement for AD ? I installed AD in a machine with 4 GB space only. I know that the requirement says that minimum 250 mb is required. However, in less than 2 weeks, I got a few errors of not enough disk space for logs and file replication in event viewer... Thanks again lara Lara Adianto <[EMAIL PROTECTED]> wrote: Hi, Is it okay to install citrix metaframe xp presentation server 3.0 in the same machine as microsoft exchange server ? When i wanted to install it, it gave a warning that microsoft exchange might not work properly and need to be reinstalled. Both citrix and exchange are supposed to be in the same domain. Any restriction ? Thanks lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?Win 1 of 4,000 free domain names from Yahoo! Enter now. La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now.
[ActiveDir] citrix installed in the same machine as exchange
Hi, Is it okay to install citrix metaframe xp presentation server 3.0 in the same machine as microsoft exchange server ? When i wanted to install it, it gave a warning that microsoft exchange might not work properly and need to be reinstalled. Both citrix and exchange are supposed to be in the same domain. Any restriction ? Thanks lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now.
Re: [ActiveDir] replacing AD with openldap
>Lara, where do you get that OWA is doing an LDAP query for auth? OWA nor>anything in the Windows world should be using LDAP auth, it should always be>using kerberos and if that isn't working fall through to NTLM. I disabled the Integrated Windows Authentication for Exchange directory...and enabled only Basic authentication. Then, I captured the packet with ethereal and saw that it queried AD with filter cn=lara,cn=users,cn=configuration, dc=adianto,dc=com or some sort of that (I forgot the exact query). There are a lot of ldap queries being captured...not only that one actuallyseems very complicated... I don't really understand how Basic authentication and NTLM work... >Also as usual, Al is right on in terms of the integration between>AD/Exchange. To even have an Exchange Mailbox you will need an AD user>object and you aren't going to force AD to use OpenLDAP to authenticate that>user. Oh well...then will i have greater chance with SAMBA ? I found this link: http://lists.samba.org/archive/samba/2004-February/080654.html which gave me an idea to authenticate OWA to samba PDC which will in turn use PAM_LDAP to talk to openldap. But well, it seems very tedious, and no guarantee that it will work. I mean, even if the OWA authentication works, will there be anything that prevent me to get the sendmail/pop3/imap or mailbox whatsoever to work ? I suppose it's not possible to make OWA to talk to pam_ldap directly ? I'm very new to all these...and not aware with the stumbling blocks that might prevent me to achieve my objective above... Perhaps the experts out there can give me some hints or tips ? thanks again, =lara= Lara Adianto <[EMAIL PROTECTED]> wrote: >I suppose the first question that comes to mind is, why? Exchange OWA >is going to require you to eventually identify and authenticate to Active>Directory. What's the use of doing it in openldap first?I have openldap server populated with the user credentials...and I don't want to replicate this information to AD. Shortly, I don't want to store username + password in AD. >As it stands, I have not heard of anyone being able to change OWA's>authentication to a separate LDAP directory. Exchange and Active >Directory are married on too many levels.Yes, I'm aware of this. That's why I posted this question. I can't find any information on the net. If it's not possible to direct the ldap queries to openldap, would it be possible to achieve my goals (to authenticate using openldap) by some other means ? using PAM or Samba maybe ? Hope this is clearer. Btw, I don't intend to replace the mail server with openldap. I'm just concerned with the user authentication. Thanks for the response, lara -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Lara AdiantoSent: Tuesday, August 10, 2004 5:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] replacing AD with openldapHi,One of Outlook Web Access 2003's authentication method is basicauthentication which does an ldap query to Active Directory for the username& password.Is it possible to configure it to query an external ldap server (such asOpenldap) instead of to active directory ? My objective is to make OWA to use LDAPauthentication. My LDAP server is openldap.regards,lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] replacing AD with openldap
>I suppose the first question that comes to mind is, why? Exchange OWA >is going to require you to eventually identify and authenticate to Active>Directory. What's the use of doing it in openldap first?I have openldap server populated with the user credentials...and I don't want to replicate this information to AD. Shortly, I don't want to store username + password in AD. >As it stands, I have not heard of anyone being able to change OWA's>authentication to a separate LDAP directory. Exchange and Active >Directory are married on too many levels.Yes, I'm aware of this. That's why I posted this question. I can't find any information on the net. If it's not possible to direct the ldap queries to openldap, would it be possible to achieve my goals (to authenticate using openldap) by some other means ? using PAM or Samba maybe ? Hope this is clearer. Btw, I don't intend to replace the mail server with openldap. I'm just concerned with the user authentication. Thanks for the response, lara -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Lara AdiantoSent: Tuesday, August 10, 2004 5:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] replacing AD with openldapHi,One of Outlook Web Access 2003's authentication method is basicauthentication which does an ldap query to Active Directory for the username& password.Is it possible to configure it to query an external ldap server (such asOpenldap) instead of to active directory ? My objective is to make OWA to use LDAPauthentication. My LDAP server is openldap.regards,lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] replacing AD with openldap
Hi, One of Outlook Web Access 2003's authentication method is basic authentication which does an ldap query to Active Directory for the username & password. Is it possible to configure it to query an external ldap server (such as Openldap) instead of to active directory ? My objective is to make OWA to use LDAP authentication. My LDAP server is openldap. regards, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] exchange 2003 & dcpromo
Hi, Is it true that we shouldn't run dcpromo when exchange 2003 is installed in a domain controller ? I had a problem with the DC..so I dcpromo-ed it and then rebuild it from the beginning. Now I can't start the services needed by exchange. Not sure when dcpromo is the root of the problem, but I can't start any services (not only those needed by exchange). It tried to start the service...i could see the progress bar...but after waiting for quite a long time, it failed with the following error: error 1053: the service did not respond to the start or control request in a timely fashion I googled and found this link: http://www.jsiinc.com/SUBI/tip4400/rh4493.htm The symptomps described quite match my situation (Internet Connection Wizard hangs & I couldn't see the properties of the adapter) but unfortunately the cause of problem doesn't. The logical disk manager administrative service is set to manual and the dmadmin registry contains the appropriate value... I wonder wether the following error about ntfrs found in event viewer might be the cause of the above problem: The file replication service has detected that the replica root path has changed from "C:\WINNT\SYSVOL\DOMAIN" to "C:\WINNT\SYSVOL\DOMAIN" If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. This was detected for the following replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Is the above error critical for the operation of active directory and exchange server ? I found the following link http://support.microsoft.com/default.aspx?scid=kb;en-us;819268 which is similar to my problem, but I'm not sure whether it's the right solution since the path mentioned is "C:\bin" not "C:\WINNT\SYSVOL\DOMAIN" Should I reinstall exchange on the win2k server ? I'll really appreciate any inputs... Thanks, lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
[ActiveDir] cannot login into win2k server bec of domain controller problem
Hi, I had this famous AD problem in my win2k server: LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Service cannot start. Error status 0xc2e1. Please click OK to shutdown this system and reboot into directory services restore mode, check the event log for more detailed information. And as you can guess, I couldn't get into the win2k server's normal mode. There are quite a number of sources on the net suggesting various ways to get the server. I've tried the following links: - http://www.jsiinc.com/SUBF/Tip2500/rh2599.htm - http://support.microsoft.com/default.aspx?kbid=258062 - http://www.experts-exchange.com/Operating_Systems/ Win2000/Q_20809496.html But none of them worked for me. I've even tried doing a lossy repair of AD dbase using esentutl. But I still couldn't get into normal mode. Dcpromo surely doesn't work in drectory service restore mode. What should I do ? I don't have a backup unfortunately. It was a test machine, so I didn't have a thought at all to make backup (I should have done it..sigh) This is not the first time I had this problem. I had the same problem a few months ago, and I had to reinstall the win2k server... It's the last option that I want to do now... I wonder as well what caused this problem... As far as I can remember, I did a configuration using ksetup (for cross realm auth)...and so did I a few months ago before it failed. Could ksetup cause the corruption ? Can I do ksetup in win2k server actually ? Please help lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using Security Configuration Template instead of Ksetup...
" > Default 8 > End Part > End Policy > End Category ;;Kerberos > > End Category ;;AdministrativeServices > [strings] > AdministrativeServices="System" > Kerberos="Kerberos RealmFlags" > RealmFlags="RealmFlags value" > SetRealmFlags="Set YOURREALM.COM Kerberos RealmFlags > variable" > SetRealmFlags_Help="Creates the realm name variable > key for YOURREALM.COM > and allows referrals to work properly.\n\nThis key > is created to allow the > security policy defining the KDC mappings for the > realm to have the proper > realm name variable in the registry.\n\nThe value > set here (RealmFlags) > allows proper referrals from the MIT-based Kerberos > realm. See > http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html"; > ;End of Strings > > **SCEREGVL.INF > file > > [Register Registry Values] > > ; Kerberos > ; > > == > ; > http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95146.htm > ; > http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95141.htm > > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ > KpasswdNames,7,%Kpasswd%,4 > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ > KdcNames,7,%Knames%,4 > ; > ======== > == > > [Strings] > > ; === YOURREALM > = > Kpasswd = "Kerberos: YOURREALM.COM realm Change > Password Protocol Servers > (YOURREALM)" > Knames = "Kerberos: YOURREALM.COM realm KDC servers > (YOURREALM)" > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Lara Adianto > > Sent: Wednesday, April 14, 2004 1:53 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Using Security Configuration > Template > > instead of Ksetup... > > > > Hello, > > > > In 'Step-by-step Guide to Kerberos 5 > Interoperability' > > document, it is stated as follows: > > "To deploy realm configuration data to multiple > computers, > > use the security configuration template mechanism > instead of > > using Ksetup explicitly on individual computers" > > > > Is there any good document / howto about how to > use security > > configuration template to achieve the same results > as ksetup ? > > > > I've been reading some of microsoft knowledge > articles such > > as: How to add custom registry settings to > security > > configuration editor, how to create custom > administrative > > templates in windows 2000, etc..but I haven't got > a clear > > picture of how it can be done using security > configuration template. > > > > This is the part that I don't understand: > > "Once the Sceregvl.inf file has been modified and > registered, > > your custom registry values are exposed in the SCM > UI's on > > that machine. You can then create security > templates or > > policies that define your new registry values. > These > > templates or policies can then be applied to any > machine > > regardless of whether Sceregvl.inf has been > modified on the > > target machine or not." (taken from Microsoft's > article: How > > to add custom registry settings to security > configuration > > editor). Is SCM the same as security configuration > tool and analysis ? > > > > Well...from reading the article, my guess is that > I will need > > to update sceregvl.inf, register the changes by > doing > > 'regsvr32 scecli.dll', and also change the group > policy. > > > > Anyway, I've tried to update sceregvl.inf but it > didn't work > > :-( The changes didn't seem to be reflected in the > registry > > editor as what usually happen using ksetup. > > > > -lara- > > > > = > > > -- > > -- > > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > > > > > - Guy de Maupassant - > > > -- > > -- > > > > > > > > > > __ > > Do you Yahoo!? > > Yahoo! Tax Center - File online by April 15th > === message truncated === = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Using Security Configuration Template instead of Ksetup...
Hello, In 'Step-by-step Guide to Kerberos 5 Interoperability' document, it is stated as follows: "To deploy realm configuration data to multiple computers, use the security configuration template mechanism instead of using Ksetup explicitly on individual computers" Is there any good document / howto about how to use security configuration template to achieve the same results as ksetup ? I've been reading some of microsoft knowledge articles such as: How to add custom registry settings to security configuration editor, how to create custom administrative templates in windows 2000, etc..but I haven't got a clear picture of how it can be done using security configuration template. This is the part that I don't understand: "Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the SCM UI's on that machine. You can then create security templates or policies that define your new registry values. These templates or policies can then be applied to any machine regardless of whether Sceregvl.inf has been modified on the target machine or not." (taken from Microsoft's article: How to add custom registry settings to security configuration editor). Is SCM the same as security configuration tool and analysis ? Well...from reading the article, my guess is that I will need to update sceregvl.inf, register the changes by doing 'regsvr32 scecli.dll', and also change the group policy. Anyway, I've tried to update sceregvl.inf but it didn't work :-( The changes didn't seem to be reflected in the registry editor as what usually happen using ksetup. -lara- = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] failed to locate a DC...
Hi everybody, Thank you for the responses... Athif is right, the result of DcDiag was okay... No more issue about joining a domain now regards, lara --- [EMAIL PROTECTED] wrote: > Lara, DcDiag Test seems to be okk. I guess you may > need to review DNS > settings. Please, check thru Event Logs for specific > errors. > > Good Luck, > Athif > > -Original Message- > From: Lara Adianto [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 06, 2004 3:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] failed to locate a DC... > > > I have indicated in my prev mail that I can't do > dcpromo at all bec it can't > find any DC. > anyway, I've tried to do dcdiag, and apparently my > SYSVOL was not shared. > So, following an instruction i found on the net, I > managed to share it. but > > Starting test: frssysvol > Error: No record of File Replication > System, SYSVOL started. > The Active Directory may be prevented from > starting. > . TEST_W2KSERVER > passed test frssysvol > > I attached the complete result of dcdiag. > > Thank you for your help. I really appreciate it > > -lara- > "Rutherford, Robert" > <[EMAIL PROTECTED]> wrote: > > It looks to me like this a brand new domain? If not > then I would suggest a > DCPROMO down and up again. I'd also uninstall DNS > and let the DCPROMO wizard > install it. > > If it's not a new domain and it's live in production > then please come back > and we'll take it further. > > BR > > Rob > > -Original Message- > From: Lara Adianto [mailto:[EMAIL PROTECTED] > Sent: 06 April 2004 11:16 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] failed to locate a DC... > > > Hello, > > I have been struggling with this problem for almost > a day, and hope to get a > hand through this mailing list. > > The problem is that I can't make a windows2000 prof. > client to join a w2k > domain. > I'm using a win2k server as the DNS and AD server. > > When I tried to add the client to the domain, the > following message box > popped up: > The following error occurred valiedating the name > 'my.domain.com' > This condition may be caused by a DNS lookup > problem. For more information > about troubleshooting common DNS lookup problems, > please see the following > Microsoft Web site: > http://go.microsoft.com/fwlink/?LinkId=5171 > <http://go.microsoft.com/fwlink/?LinkId=5171> > > Believe it or not, I have followed every single step > stated in the link to > resolve the problem of 'error during domain join' > > Then...I used some tools to find the DC in my win2k > server: > %NLTEST /DSGETDC:my.domain.com > DcGetDcName failed: status = 1355 0x54b > ERROR_NO_SUCH_DOMAIN > > %NETDIAG /TEST:DSGETDC /D:my.domain.com > -- snip -- > Domain membership > test...:failed > [WARNING]: The system volume has not been completely > replicated to the local > machine. This machine is not working properly as a > DC. > --- > DC discovery test.: failed > Find DC in domain 'my.domain': [FATAL] Cannot Find > DC in domain 'my.domain'. > [ERROR_NO_SUCH_DOMAIN] > > I was thinking to dcpromo my AD, and restart > everything from the beginning. > Well, maybe my DNS and AD setup are not correct or > they are somehow > corrupted. > But dcpromo also failed to find a DC !! It says: > Failed finding a suitable > domain controller for the domain "The specified > domain either doesn't exist > or could not be contacted" > > I tried to delete my DNS record as well. It seems to > be deleted, but when I > closed the window and opened it again, the record > was still there. Was it > deleted ? > > Now I'm really2 stucked. > > Please help me, > lara > > ps: btw, pinging the machine does work > > > > > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > - Guy de Maupassant - > > > > > >_ > > Do you Yahoo!? > Yahoo! > <http://us.rd.yahoo.com/evt=23609/*http://promotions.yahoo.com/design_giveaw > ay/static/index2.html> Small Business $15K Web > Design Giveaway - Enter today > > > The information transmitted is intended only for the > person or entity > to which
[ActiveDir] failed to locate a DC...
Hello, I have been struggling with this problem for almost a day, and hope to get a hand through this mailing list. The problem is that I can't make a windows2000 prof. client to join a w2k domain. I'm using a win2k server as the DNS and AD server. When I tried to add the client to the domain, the following message box popped up: The following error occurred valiedating the name 'my.domain.com' This condition may be caused by a DNS lookup problem. For more information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171 Believe it or not, I have followed every single step stated in the link to resolve the problem of 'error during domain join' Then...I used some tools to find the DC in my win2k server: %NLTEST /DSGETDC:my.domain.com DcGetDcName failed: status = 1355 0x54b ERROR_NO_SUCH_DOMAIN %NETDIAG /TEST:DSGETDC /D:my.domain.com -- snip -- Domain membership test...:failed [WARNING]: The system volume has not been completely replicated to the local machine. This machine is not working properly as a DC. --- DC discovery test.: failed Find DC in domain 'my.domain': [FATAL] Cannot Find DC in domain 'my.domain'. [ERROR_NO_SUCH_DOMAIN] I was thinking to dcpromo my AD, and restart everything from the beginning. Well, maybe my DNS and AD setup are not correct or they are somehow corrupted. But dcpromo also failed to find a DC !! It says: Failed finding a suitable domain controller for the domain "The specified domain either doesn't exist or could not be contacted" I tried to delete my DNS record as well. It seems to be deleted, but when I closed the window and opened it again, the record was still there. Was it deleted ? Now I'm really2 stucked. Please help me, lara ps: btw, pinging the machine does work La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway - Enter today
RE: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Hello all,
I managed to solve the following problem:
"The system can not log you on due to the followingerror: No mapping between account names and securityIDs was done. Please try again or consult your systemadministrator."
It's simply because I haven't added the user to list of users for the computer (",)
I can now authenticate using Kerberos Realm.
Thanks for all who have replied to my mail,
- lara -
Lara Adianto <[EMAIL PROTECTED]> wrote:
Thanks to Brent and Arden who have given me someinsights, though I'm not fully successful yet, but Ican see a progress...Apparently, my biggest problem was the DNS serversetup. I managed to come over the problem (phiughh)Now, the problem is when a client wants to login withthe domain set to Kerberos Realm (I use Heimdal):username: larapassword: passworddomain: MY_KERBEROS_REALM.COM (Kerberos Realm)the following windows login message pops up:The system can not log you on due to the followingerror: No mapping between account names and securityIDs was done. Please try again or consult your systemadministrator.With reference from the following resources: -http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp-http://www.pdc.kth.se/heimdal/heimdal.html (there'sone section about
how to configure windows 2000 to usea Heimdal KDC)I have done the following steps:On W2K Server:1. Create a domain W2K_DOMAIN_REALM in my W2K server2. Add Inter-realm keys for W2K_DOMAIN_REALM (DomainTree Management Tool --> W2K_DOMAIN_REALM --> Truststab --> add MY_KERBEROS_REALM.COM on both directions)3. Create a user lara, and create account mappings to[EMAIL PROTECTED]4. Use Ksetup to add kdc:C:> ksetup /addkdc MY_KERBEROS_REALM.COMkerberos.my_kerberos_realm.com5. Use Netdom.exe to make it transitive (I'm not surewhether this is needed actually)On KDC (Linux machine):1. Create a host principal in the kerberos realmshell% kadmin -l -r MY_KERBEROS_REALM.COMkadmin > ank -p passwordhost/myhost.my_kerberos_realm.com(I'm not sure what's the purpose of creating this hostprincipal, bec the client seems to search for server:host/[EMAIL PROTECTED] for
theauthentication)2. Add Inter-realm keys:kadmin > addkrbtgt/[EMAIL PROTECTED]kadmin > addkrbtgt/[EMAIL PROTECTED]3. Add [EMAIL PROTECTED]4. Kinit [EMAIL PROTECTED]3. Add host/CLIENT_MACHINE_NAME (If not, the clientauthentication failed, with the following error beinglogged: KDC_ERR_S_PRINCIPAL_UNKNOWN, for server:host/CLIENT_MACHINE_NAME)On W2K Client machine:1. Use ksetup:C:> ksetup /setdomain MY_KERBEROS_REALM.COMC:> ksetup /addkdc MY_KERBEROS_REALM.COMkerberos.my_kerberos_realm.comC:> ksetup /setmachpassword passwordC:> ksetup /mapuser [EMAIL PROTECTED] laraAnd I have rebooted the client machine everytime Imake changesWhat else can I miss ?Did I do the right things ? I will really appreciate if someone can give a briefexplanation how the authentication of W2K client
usingMIT/Heimdal Kerberos KDC works. It seems to me that it's the client who contacts theKerberos Realm for authentication and not the W2Kserver...Is this the right way to go ?But if that's the way then when will the accountmapping for kerberos realm created in AD be used inthis authentication process ? What's the purpose ofhaving the trusted relationship between W2K andKerberos Realm ?Why does my client contact thehost/[EMAIL PROTECTED] forauthentication ?Hope somebody can help me,Lara--- Arden Pineda <[EMAIL PROTECTED]>wrote:> Do you have the RealmFlags value set for the> Kerberos domain on windows> machines (DCs & member machines)? I believe the> ksetup utility does not> have the option to set the realmflags setting, but I> could be wrong. You> need this setting, aside from the KpasswdNames and> KdcNames, especially
for> non-MIT kerberos. In our environment, we have it> set to 8. For more> details, consult the regentry.chm file included in> the Windows 2000 Resource> Kit. > > I have included the list of Kerberos registry> entries that you need below. > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\> Control\Lsa\Kerberos\Domains\EXAMPLE.COM]> > Key: RealmFlags > Type: DWORD> Value: 8> > Key: KPasswdNames > Type: MULTI_SZ > Value: yourkpasswdserver.example.com> > Key: KdcNames > Type: MULTI_SZ > Value: yourkdc.example.com> yourkdc2.example.com> > > We used a custom adm to deploy these settings to all> our machines. I hope> this helps.> > Regards,> Arden> > _ > > From: [EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED] On> Behalf Of Jackson Shaw> Sent: Tuesday, March 23, 2004 8:42 AM> To: [EMAIL PROTECTED]> Subject: RE: [ActiveDir] Can Microsoft Active> Directory be configured to> authenticate to an external ldap server ??> > > > http://www.vintela.com/products/vas/> > &g
RE: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Directory be configured to > authenticate to an external ldap server ?? > > > > Hmmm, > > > > sorry no experience with heimdal... > > > > did you follow the steps in the following article? > They are designed for an > mit realm, but if you consult your heimdal > documentation you should be able > to find equivalent commands. > > > > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as > p > > > > looks like you configured AD to trust the kerberos > realm, but not the > kerberos realm to trust AD. You will need to > configure what are called > cross-realm principals for this. > > > > example command for an MIT realm. > > > > % Kadmin -q "ank -pw password > krbtgt/[EMAIL PROTECTED]" > > % Kadmin -q "ank -pw password > krbtgt/[EMAIL PROTECTED]" > > Also if your clients are going to authenticate > directly to your kerberos > realm then you may have to create a host principal > (kerberos equivalent to a > computer account) in your kerberos realm for each > client that you are > directly authenticating. > > > > > > Brent Westmoreland > > > > On Mar 23, 2004, at 5:11 AM, Lara Adianto wrote: > > > > Thank you Robbie, but I still can't get it to work > :-( > > When a win2k client tries to log in using my linux > > kerberos realm, it fails with error message: > > The system could not log you on. Make sure that the > > username and password are correct. Letters in the > > password must be typed in the correct case...bla bla > > > bla > > > > So...I'm wondering if I have missed some steps. > > Let's say that I use the following values: > > Windows realm: EXAMPLE.COM > > Linux realm: EXAMPLE1.COM > > username: lara > > > > These are the steps that I followed: > > 1. Create an External trust for EXAMPLE.COM > > - On Active Directory Domains and Trusts, for domain > > > EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains > trusted > > by this domain' > > 2. Create Account Mapping > > - On Active Directory Users and Computers, for user > > lara, I created the name mapping to kerberos realm: > > [EMAIL PROTECTED] > > 3. Configure client to log in using linux kerberos > > realm > > - On client machine: ksetup \addkdc EXAMPLE1.COM > > kerberos.example1.com > > > > That's it.. > > > > Do I miss something here ? like resolving DNS ? any > === message truncated === = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Thank you Robbie, but I still can't get it to work :-( When a win2k client tries to log in using my linux kerberos realm, it fails with error message: The system could not log you on. Make sure that the username and password are correct. Letters in the password must be typed in the correct case...bla bla bla So...I'm wondering if I have missed some steps. Let's say that I use the following values: Windows realm: EXAMPLE.COM Linux realm: EXAMPLE1.COM username: lara These are the steps that I followed: 1. Create an External trust for EXAMPLE.COM - On Active Directory Domains and Trusts, for domain EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains trusted by this domain' 2. Create Account Mapping - On Active Directory Users and Computers, for user lara, I created the name mapping to kerberos realm: [EMAIL PROTECTED] 3. Configure client to log in using linux kerberos realm - On client machine: ksetup \addkdc EXAMPLE1.COM kerberos.example1.com That's it.. Do I miss something here ? like resolving DNS ? any case-sensitive issue ? I also notice that when I check the ksetup on my client: C:> ksetup default realm = example.com EXAMPLE1.COM: kdc = kerberos.example1.com Failed to create Kerberos key: 5 Is this normal ? O ya, btw my linux KDC is Heimdal and not MIT Kerberos, I hope this won't be an issue... Fiuhh...This is not as simple as I thought... Anybody has got this work before ? -lara- --- Robbie Foust <[EMAIL PROTECTED]> wrote: > Hi Lara, > > I think what you are looking for is this... In AD > Users & Computers, > click on "View" at the top and turn on "Advanced > Features." Then, right > click on the user account and click on "Name > Mappings..." Then click on > the "Kerberos Names" tab and add the principal name > there (such as > [EMAIL PROTECTED]). > > Hope this helps! > > - Robbie > > Robbie Foust, IT Analyst > Systems and Core Services > Duke University > > > > > Lara Adianto wrote: > > >Thanks for all the replies guys..(I love this > mailing > >list) :-) > > > >After spending sometimes understanding the kerberos > >concept in windows, I believe that to achieve my > goal, > >I need to create a two way trust relationship > between > >the windows 2000 domain and my kerberos realm on > linux > >machine (just like what Robbie has suggested) > > > >The following is an excerpt from windows 2000 > Kerberos > >Interoperability white paper (page 15): > > > >Two-Way Trust > >... > >Goals > >The analysts authenticate to the Kerberos realm and > >can then access both UNIX-based resources and > Windows > >2000-based applications and services. > > > >* Kerberos Clients: Windows 2000 Professional > >* Kerberos KDC: UNIX-based Kerberos V5 KDC > >* Target Resource: Windows Application, File > and > >Print Services > > > >Implementation > >This scenario builds on the client configuration > and > >one-way trust implementations. First, the Windows > >2000-based clients will be configured to logon to > the > >Kerberos realm as discussed earlier. Secondly, a > >one-way trust relationship must be set up between > the > >Windows 2000 domain and the Kerberos realm (the > >Windows domain trusts the Kerberos realm as an > account > >domain). Finally, each Kerberos principal in the > realm > >must have a corresponding Windows 2000 account. > Each > >corresponding account (proxy account) in Windows > 2000 > >must have the AltSecurityId property populated with > >the Kerberos principal name including the realm, > for > >example, [EMAIL PROTECTED] > > > > > > > >Currently, I'm in the middle of trying to implement > >the above hints. I have added the external trust in > my > >win2k domain. I have configured the client to > >authenticate to my linux's kerberos realm using > ksetup > >(thanks Robbie)... > > > >BUTI'm stucked with the account mapping. I've > >already got win2k account for my kerberos principal > in > >linux. Then the hint says that the mapping is > >contained in the AltSecurityId property of each > win2k > >user. > > > >The problem is that I don't know how to set this > >AltSecurityId. I can't find it in the Active > Directory > >Users and Computer. > > > >Where can I set the AltSecurityId to my linux > kerberos > >realm ? (This might be a dummy question, but I've > >tried to seek help on the net, but couldn't find > >anything) > > &
Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Thanks for all the replies guys..(I love this mailing list) :-) After spending sometimes understanding the kerberos concept in windows, I believe that to achieve my goal, I need to create a two way trust relationship between the windows 2000 domain and my kerberos realm on linux machine (just like what Robbie has suggested) The following is an excerpt from windows 2000 Kerberos Interoperability white paper (page 15): Two-Way Trust ... Goals The analysts authenticate to the Kerberos realm and can then access both UNIX-based resources and Windows 2000-based applications and services. * Kerberos Clients: Windows 2000 Professional * Kerberos KDC: UNIX-based Kerberos V5 KDC * Target Resource: Windows Application, File and Print Services Implementation This scenario builds on the client configuration and one-way trust implementations. First, the Windows 2000-based clients will be configured to logon to the Kerberos realm as discussed earlier. Secondly, a one-way trust relationship must be set up between the Windows 2000 domain and the Kerberos realm (the Windows domain trusts the Kerberos realm as an account domain). Finally, each Kerberos principal in the realm must have a corresponding Windows 2000 account. Each corresponding account (proxy account) in Windows 2000 must have the AltSecurityId property populated with the Kerberos principal name including the realm, for example, [EMAIL PROTECTED] Currently, I'm in the middle of trying to implement the above hints. I have added the external trust in my win2k domain. I have configured the client to authenticate to my linux's kerberos realm using ksetup (thanks Robbie)... BUTI'm stucked with the account mapping. I've already got win2k account for my kerberos principal in linux. Then the hint says that the mapping is contained in the AltSecurityId property of each win2k user. The problem is that I don't know how to set this AltSecurityId. I can't find it in the Active Directory Users and Computer. Where can I set the AltSecurityId to my linux kerberos realm ? (This might be a dummy question, but I've tried to seek help on the net, but couldn't find anything) Thanks a bunch, Lara --- Robbie Foust <[EMAIL PROTECTED]> wrote: > You actually don't configure AD, what you need to do > is run ksetup.exe > on the workstations (must be 2000 or XP) and add the > kerberos realm & > kerberos servers. (ksetup is part of the support > tools). For example: > > C:\> ksetup /addkdc MIT.KERBREALM.COM > kserver.kerb.com > > and then when the user logs in, they must select > that realm from the > drop down list. > > Also, the user account in AD needs to have the > kerberos name mapping > added so AD will know how to match up the accounts. > The name mapping > would be something like "[EMAIL PROTECTED]". > > So basically, the password stored in AD is ignored. > Let me know if this > helps, or if this isn't what you're trying to do at > all. :-) > > Robbie Foust, IT Analyst > Systems and Core Services > Duke University > > > > > Lara Adianto wrote: > > Hi guys, > > > > As what the subject title said: can Microsoft > Active Directory be > > configured to authenticate to an external ldap > server (openLDAP in my > > case) ? > > > > To make things clearer, this is the objective that > I want to achieve: > > I want authentication of Microsoft Active > Directory's clients to be > > done by OpenLDAP server on Linux. So, when a > client of Microsoft Active > > Directory authenticates itself to MS AD, MS AD > will ask openLDAP for > > authentication service. openLDAP will return > return reject or allow to > > MS AD. > > > > I believe that this can be achieved by using > Kerberos. I currently have > > GSSAPI mechanism running on my openLDAP server, > but I am not sure how to > > make MS AD talk to my openLDAP server. > > > > Any idea, suggestions, hints will be very > appreciated > > > > Cheers > > - Lara - > > > > > > > > > > > > > > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > > - Guy de Maupassant - > > > > > > > Do you Yahoo!? > > *Yahoo! Mail* > <http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com> > > > - More reliable, more storage, less spam > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm >
[ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Hi guys, As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ? To make things clearer, this is the objective that I want to achieve: I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD. I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server. Any idea, suggestions, hints will be very appreciated Cheers - Lara - La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
