Re: [ActiveDir] Problem in AD
before installing dc01 dc02 , DC03 was the global cataglog server ..now dc01 dc02 are global catalog servers On 8/23/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Pankaj Verma Sent: Wed 2006-08-23 19:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- RgdsPankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem in AD
Then your problem is likely a DNS issue. Ensure that all clients are pointing to at least two DCs. Ensure that your DCs are pointing to at least two as well, as they're also DNS clients. --Paul - Original Message - From: Pankaj Verma [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 24, 2006 7:06 AM Subject: Re: [ActiveDir] Problem in AD before installing dc01 dc02 , DC03 was the global cataglog server ..now dc01 dc02 are global catalog servers On 8/23/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Pankaj Verma Sent: Wed 2006-08-23 19:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- RgdsPankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Problem in AD
Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem in AD
"notabletocommunicatewithactivedirectory"- can you give more details? Was DC03 the only Global Catalog? If yes, this could be the cause of your problem. Tim Date: Wed, 23 Aug 2006 21:07:50 +0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD HiAll Ihave3domaincontrollers.ItransferalltheFSMOrolesfromDC03 toDC02afterthatIshutdownD03IrestartedD02dC01butafter thatIwasnotabletocommunicatewithactivedirectorythenswitched onDC03afterthateverythingisworkingfine.Ifsomebodycantell mewhatcouldbetheproblemandaftertheineventviewerIam gettinganerror Eventid=10301058source=usernv-- Rgds Pankajverma Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem in AD
I'm afraid you need to give a little more detail than that. What do you mean not able to communicate with AD? M@ On 8/23/06, Pankaj Verma [EMAIL PROTECTED] wrote: Hi AllI have 3 domain controllers.I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an error Event id =1030 1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem in AD
Title: [ActiveDir] Problem in AD if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Pankaj VermaSent: Wed 2006-08-23 19:07To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem in AD Hi AllI have 3 domain controllers. I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03 I restarted D02 dC01 but afterthat I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an errorEvent id =1030 1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping
You are correct - it is kerberos delegation. I've never done it, but it is well documented. Start here: http://msdn.microsoft.com/library/default.asp?url=""> Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio leraSent: Friday, April 08, 2005 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping I think Ineed Kerberos delegation to pass the security contextfromthe web serverto the AD server...has anybody done this? Can u help me? Thanks alot!Roger Seielstad [EMAIL PROTECTED] wrote: Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in: http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx You might also have to set the computer account to be trusted for delegation (I think that's the setting) - but I'm not sure. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio leraSent: Tuesday, April 05, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping hello list, I am developing an ASP.NET web application which interacts with AD.Client/User authentication must be via AD certificate mapping, so I have configured IIS to doUPN mapping: -- In the IIS manager ... -- in the properties of the web site... -- under "directory security".. --under "Secure Communications", select Edit. -- select "Require secure channel"; select "require client certificates" andalso select "Enable client certificate mapping". I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Nameor WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials. The problem is that i can not access AD via ADSI (using .NET DirectoryServices API).I get an operational error related with authentication. The source code of the DirectoryEntry creation is something like this: DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure); The description of theAuthenticationTypes.Secure flag says that "it requests secure authentication. When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating". The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation. I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and Iuse the user account for the anonymous access, AD server permits to do the operations.. Any idea? What could be the problem? could bethe authentication type? problems related with impersonation? I am a bit lost... Thanks is advance! ...and sorry for my poor english ;)zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta aquízZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta aquí
RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping
I think Ineed Kerberos delegation to pass the security contextfromthe web serverto the AD server...has anybody done this? Can u help me? Thanks alot!Roger Seielstad [EMAIL PROTECTED] wrote: Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in: http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx You might also have to set the computer account to be trusted for delegation (I think that's the setting) - but I'm not sure. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio leraSent: Tuesday, April 05, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping hello list, I am developing an ASP.NET web application which interacts with AD.Client/User authentication must be via AD certificate mapping, so I have configured IIS to doUPN mapping: -- In the IIS manager ... -- in the properties of the web site... -- under "directory security".. --under "Secure Communications", select Edit. -- select "Require secure channel"; select "require client certificates" andalso select "Enable client certificate mapping". I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Nameor WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials. The problem is that i can not access AD via ADSI (using .NET DirectoryServices API).I get an operational error related with authentication. The source code of the DirectoryEntry creation is something like this: DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure); The description of theAuthenticationTypes.Secure flag says that "it requests secure authentication. When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating". The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation. I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and Iuse the user account for the anonymous access, AD server permits to do the operations.. Any idea? What could be the problem? could bethe authentication type? problems related with impersonation? I am a bit lost... Thanks is advance! ...and sorry for my poor english ;)zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta aquízZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí
RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping
I answered you on the Microsoft public newsgroup where you posted the same thing. Like I said, I think you need Kerberos delegation for sure, but you may also need protocol transition in order to get a Kerberos ticket in the first place. This implies 2003 server and 2003 native mode AD. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio lera Sent: Friday, April 08, 2005 4:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping I think Ineed Kerberos delegation to pass the security contextfromthe web serverto the AD server...has anybody done this? Can u help me? Thanks alot! Roger Seielstad [EMAIL PROTECTED] wrote: Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in: http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx You might also have to set the computer account to be trusted for delegation (I think that's the setting) - but I'm not sure. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio lera Sent: Tuesday, April 05, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping hello list, I am developing an ASP.NET web application which interacts with AD.Client/User authentication must be via AD certificate mapping, so I have configured IIS to doUPN mapping: -- In the IIS manager ... -- in the properties of the web site... -- under directory security.. --under Secure Communications, select Edit. -- select Require secure channel; select require client certificates andalso select Enable client certificate mapping. I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Nameor WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials. The problem is that i can not access AD via ADSI (using .NET DirectoryServices API).I get an operational error related with authentication. The source code of the DirectoryEntry creation is something like this: DirectoryEntry oDE = new DirectoryEntry(LDAP://+[servername]+:+[serverport]+/,null,null,AuthenticationTypes.Secure); The description of theAuthenticationTypes.Secure flag says that it requests secure authentication. When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation. I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and Iuse the user account for the anonymous access, AD server permits to do the operations.. Any idea? What could be the problem? could bethe authentication type? problems related with impersonation? I am a bit lost... Thanks is advance! ...and sorry for my poor english ;) zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz throw new Exception(SoftLera!!!); zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz throw new Exception(SoftLera!!!); zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping
Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in: http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx You might also have to set the computer account to be trusted for delegation (I think that's the setting) - but I'm not sure. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio leraSent: Tuesday, April 05, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping hello list, I am developing an ASP.NET web application which interacts with AD.Client/User authentication must be via AD certificate mapping, so I have configured IIS to doUPN mapping: -- In the IIS manager ... -- in the properties of the web site... -- under "directory security".. --under "Secure Communications", select Edit. -- select "Require secure channel"; select "require client certificates" andalso select "Enable client certificate mapping". I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Nameor WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials. The problem is that i can not access AD via ADSI (using .NET DirectoryServices API).I get an operational error related with authentication. The source code of the DirectoryEntry creation is something like this: DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure); The description of theAuthenticationTypes.Secure flag says that "it requests secure authentication. When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating". The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation. I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and Iuse the user account for the anonymous access, AD server permits to do the operations.. Any idea? What could be the problem? could bethe authentication type? problems related with impersonation? I am a bit lost... Thanks is advance! ...and sorry for my poor english ;)zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZzthrow new Exception("SoftLera!!!");zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y AntispamCorreo Yahoo!, el mejor correo web del mundoAbrí tu cuenta aquí