Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » GINA - Windows Domain Authetication Versus Application Authentication
GINA - Windows Domain Authetication Versus Application Authentication [message #156604] Sun, 21 June 2009 22:00 Go to next message
Kerry  is currently offline Kerry
Messages: 48
Registered: July 2009
Member
Can you point me to some information which will help me understand more about the process of authentication (general and not specific to AD only).

Here is our problem:

We have an application (DB2) which runs perfectly in Windows Workgroup (XP SP2 Machine). In Windows Workgroup, when the application is executed there is a application specific Credentials UI which POPs up within 2 Seconds.

On the same client machine when joined to domain, you try and execute the application, the client is sending out packets to the DC to get the Credentials Windows of that Application which fails, only after a couple of retrys the request goes to the DB2 server directly. The effect of this is a delay of about 60 - 80 seconds for the application credentials window to pop up.

The application owners says that his application is just fine and its the AD which is causing the problem.

Any pointers here to assist fix this issue, will be much appreciated.

Regards
--
Re: GINA - Windows Domain Authetication Versus Application Authentication [message #156607 is a reply to message #156604] Mon, 22 June 2009 00:58 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Kerry" <kerry@live.com> wrote in message
news:O5Rg50t8JHA.1336@TK2MSFTNGP05.phx.gbl...
>
> Can you point me to some information which will help me understand
> more about the process of authentication (general and not specific to
> AD only).
>
> Here is our problem:
>
>We have an application (DB2) which runs perfectly in Windows
> Workgroup (XP SP2 Machine). In Windows Workgroup, when the
> application is executed there is a application >specific Credentials UI
> which POPs up within 2 Seconds.
>
> On the same client machine when joined to domain, you try and
> execute the application, the client is sending out packets to the DC to
> get the Credentials Windows of that Application which fails, only
> after a couple of retrys the request goes to the DB2 server directly.
> The effect of this is a delay of about 60 - 80 seconds for the application
> credentials window to pop up.
>
> The application owners says that his application is just fine and its the
> AD
> which is causing the problem.
>
> Any pointers here to assist fix this issue, will be much appreciated.
>
> Regards
>

============
Hello Kerry,

I believe I posted some pointers in your previous identical thread, but I
never heard back if it helped or not. I'll repost it below for your
convenience.

In addition, please post the following so we can rule out any DNS
misconfiguration:

1. Unedited ipconfig from two of your DCs.
2. Unedited ipconfig from the machine that you've joined to the domain.

/repost:
In addition to Mel and Garry's suggestions, I would also make sure that the
internal DNS servers are the only ones configured in IP properties. I
usually see similar issues once a machine is joined with a domain with ther
members (DCs and workstations) have been misconfigured to use their ISP's
DNS address, or the router's. Other contributing things can be, other than
lack of WINS address or using WINS and no entry in WINS (Mel's concerns),
multihomed DCs (Garry's concerns falls under this with the binding order)
that require additional configuration changes on the DC to make it function
properly, single label name domain ('domain' vs the required minimum of
'domain.com').
/end repost

Thank you,

Ace
Re: GINA - Windows Domain Authetication Versus Application Authentication [message #156628 is a reply to message #156607] Mon, 22 June 2009 13:49 Go to previous messageGo to next message
Kerry  is currently offline Kerry
Messages: 48
Registered: July 2009
Member
I have observed that changing the DNS IP does not have any effect, when in workgroup the clients were pointing to an internal DNS server (stand-alone) and after domain join there is no change in the app behaviour if you either set the primary DNS Server to the internal or tge AD DC.

Made additions to Lmhosts and Hosts file but no luck

"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org> wrote in message news:eWNMZYv8JHA.3916@TK2MSFTNGP02.phx.gbl...
> "Kerry" <kerry@live.com> wrote in message
> news:O5Rg50t8JHA.1336@TK2MSFTNGP05.phx.gbl...
>>
>> Can you point me to some information which will help me understand
>> more about the process of authentication (general and not specific to
>> AD only).
>>
>> Here is our problem:
>>
>>We have an application (DB2) which runs perfectly in Windows
>> Workgroup (XP SP2 Machine). In Windows Workgroup, when the
>> application is executed there is a application >specific Credentials UI
>> which POPs up within 2 Seconds.
>>
>> On the same client machine when joined to domain, you try and
>> execute the application, the client is sending out packets to the DC to
>> get the Credentials Windows of that Application which fails, only
>> after a couple of retrys the request goes to the DB2 server directly.
>> The effect of this is a delay of about 60 - 80 seconds for the application
>> credentials window to pop up.
>>
>> The application owners says that his application is just fine and its the
>> AD
>> which is causing the problem.
>>
>> Any pointers here to assist fix this issue, will be much appreciated.
>>
>> Regards
>>
>
> ============
> Hello Kerry,
>
> I believe I posted some pointers in your previous identical thread, but I
> never heard back if it helped or not. I'll repost it below for your
> convenience.
>
> In addition, please post the following so we can rule out any DNS
> misconfiguration:
>
> 1. Unedited ipconfig from two of your DCs.
> 2. Unedited ipconfig from the machine that you've joined to the domain.
>
> /repost:
> In addition to Mel and Garry's suggestions, I would also make sure that the
> internal DNS servers are the only ones configured in IP properties. I
> usually see similar issues once a machine is joined with a domain with ther
> members (DCs and workstations) have been misconfigured to use their ISP's
> DNS address, or the router's. Other contributing things can be, other than
> lack of WINS address or using WINS and no entry in WINS (Mel's concerns),
> multihomed DCs (Garry's concerns falls under this with the binding order)
> that require additional configuration changes on the DC to make it function
> properly, single label name domain ('domain' vs the required minimum of
> 'domain.com').
> /end repost
>
> Thank you,
>
> Ace
>
--
Re: GINA - Windows Domain Authetication Versus Application Authentication [message #156632 is a reply to message #156628] Mon, 22 June 2009 14:20 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Kerry" <kerry@live.com> wrote in message
news:%23og05G28JHA.4176@TK2MSFTNGP02.phx.gbl...
> I have observed that changing the DNS IP does not
> have any effect, when in workgroup the clients were
> pointing to an internal DNS server (stand-alone) and
> after domain join there is no change in the app behaviour
> if you either set the primary DNS Server to the internal or
> tge AD DC.
>
> Made additions to Lmhosts and Hosts file but no luck

Kerry,

When you say, "[...] pointing to an internal DNS server (stand-alone)
[...]," does this stand alone DNS server have a copy of the AD DNS zone? If
it is truly a stand alone and it does host a copy of the zone, is the zone a
secondary zone pulling from a DC/DNS as its Master?

btw - I don't know what additions you made to the LMHOSTS file, but using
either file won't work. AD uses SRV records, which neither support, and is
what the client and other AD machines query DNS for SRV records to 'find' DC
services, hence why I am questioning DNS.

Also using the DC/DNS as the "primary" (which I am translating you mean as
the first entry), and another DNS as the second entry, which may not have
the AD zone or a reference to it, doesn't work either due to the client side
resolver service's algorithm (on any DNS client, including DCs), how it goes
about quering entries in the list.

I just want to get the DNS issue straight. I know I've asked for ipconfigs,
but I also know some folks are reluctant to supply them due to policy,
security reasons, etc, but they would be helpful becaues there are other
settings that I would be looking at, such as the primary DNS suffix, the
search suffix, etc.

Are there any errors in any machines' event logs, including the DCs?

Ace
Previous Topic:how to upgrade from 2000 server to 2008 server
Next Topic:single logon
Goto Forum:
  


Current Time: Wed Oct 18 01:33:48 EDT 2017

Total time taken to generate the page: 0.04538 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software