Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD Authentication
AD Authentication [message #158807] Mon, 20 July 2009 01:36 Go to next message
Greg  is currently offline Greg
Messages: 172
Registered: July 2009
Senior Member
We have users tied to their respective PCs (Logon to Workstations) in AD. We are now testing a new web based application which queries AD for authentication. The way it works is:
1.The client provides AD user name and password in the application web page on his workstation
2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification
3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece. Which denotes a Logon Workstation Restirction.

Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine.

I have seen few articles which say that AD LDAP does not work properly when Logon Workstations are restricted. I cannot remove the logon workstation as this is a security mandate, and at the same time we cannot add DC's as part of the user logon to workstations list.

One of the threads that i have seen on the internet which closely matches my problem is given below?

====
If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security
http://www.igniterealtime.org/community/thread/37462
====

Is there any workaround or a known fix for this issue??

Regards

--
Re: AD Authentication [message #158812 is a reply to message #158807] Mon, 20 July 2009 08:09 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Sounds like you need to contact the application support team from the vendor of this program.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Greg" <Greg@live.com> wrote in message news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
We have users tied to their respective PCs (Logon to Workstations) in AD. We are now testing a new web based application which queries AD for authentication. The way it works is:
1.The client provides AD user name and password in the application web page on his workstation
2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification
3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece. Which denotes a Logon Workstation Restirction.

Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine.

I have seen few articles which say that AD LDAP does not work properly when Logon Workstations are restricted. I cannot remove the logon workstation as this is a security mandate, and at the same time we cannot add DC's as part of the user logon to workstations list.

One of the threads that i have seen on the internet which closely matches my problem is given below?

====
If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security
http://www.igniterealtime.org/community/thread/37462
====

Is there any workaround or a known fix for this issue??

Regards

--
Re: AD Authentication [message #158916 is a reply to message #158812] Tue, 21 July 2009 08:28 Go to previous messageGo to next message
Greg  is currently offline Greg  United States
Messages: 172
Registered: July 2009
Senior Member
I have seen in my lab that when a user account with Logon Workstations restriction set to a specific workstation tries to do a bind to the DC (using LDP) from that workstation, the bind request fails...I want to know:
1. Is the user account which is doing a bind using Interactive Login to the DC?
2. How can this be avoided and still allow the user to bind to the DC?

==============
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain = 'caterpiller'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090304: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
============

I have also seen that when i change the credentials option to ldap_bind_s (128) it succeeds.

=========
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain = 'caterpiller'.}
Authenticated as dn:'casual'.
=========

Not sure what that means. I have a couple of questions on that one:
1.From a security perspective what is the difference between 1158 & 128?
2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap connection string for my application?

Any help will be much appreciated.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
Sounds like you need to contact the application support team from the vendor of this program.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Greg" <Greg@live.com> wrote in message news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
We have users tied to their respective PCs (Logon to Workstations) in AD. We are now testing a new web based application which queries AD for authentication. The way it works is:
1.The client provides AD user name and password in the application web page on his workstation
2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification
3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece. Which denotes a Logon Workstation Restirction.

Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine.

I have seen few articles which say that AD LDAP does not work properly when Logon Workstations are restricted. I cannot remove the logon workstation as this is a security mandate, and at the same time we cannot add DC's as part of the user logon to workstations list.

One of the threads that i have seen on the internet which closely matches my problem is given below?

====
If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security
http://www.igniterealtime.org/community/thread/37462
====

Is there any workaround or a known fix for this issue??

Regards

--
Re: AD Authentication [message #158920 is a reply to message #158916] Tue, 21 July 2009 08:45 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
You should be able to run wireshark and monitor the activities between the dc and the workstation. I don't believe it is doing an interactive logon but I could be mistaken and don't want to give you bad info. I'm not sure why secure works and insecure doesn't, very odd.


I would suggest you repost this over at:
http://www.activedir.org/


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Greg" <Greg@live.com> wrote in message news:OV6E16fCKHA.5040@TK2MSFTNGP04.phx.gbl...
I have seen in my lab that when a user account with Logon Workstations restriction set to a specific workstation tries to do a bind to the DC (using LDP) from that workstation, the bind request fails...I want to know:
1. Is the user account which is doing a bind using Interactive Login to the DC?
2. How can this be avoided and still allow the user to bind to the DC?

==============
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain = 'caterpiller'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090304: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
============

I have also seen that when i change the credentials option to ldap_bind_s (128) it succeeds.

=========
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain = 'caterpiller'.}
Authenticated as dn:'casual'.
=========

Not sure what that means. I have a couple of questions on that one:
1.From a security perspective what is the difference between 1158 & 128?
2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap connection string for my application?

Any help will be much appreciated.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
Sounds like you need to contact the application support team from the vendor of this program.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Greg" <Greg@live.com> wrote in message news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
We have users tied to their respective PCs (Logon to Workstations) in AD. We are now testing a new web based application which queries AD for authentication. The way it works is:
1.The client provides AD user name and password in the application web page on his workstation
2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification
3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece. Which denotes a Logon Workstation Restirction.

Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine.

I have seen few articles which say that AD LDAP does not work properly when Logon Workstations are restricted. I cannot remove the logon workstation as this is a security mandate, and at the same time we cannot add DC's as part of the user logon to workstations list.

One of the threads that i have seen on the internet which closely matches my problem is given below?

====
If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security
http://www.igniterealtime.org/community/thread/37462
====

Is there any workaround or a known fix for this issue??

Regards

--
Re: AD Authentication [message #158928 is a reply to message #158916] Tue, 21 July 2009 10:26 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
It should be doing a Network login, not interactive. If you grant
workstation login rights to your DCs but don't grant any other logon type
than network (interactive, batch or service), you should be fine.

You can check the DC security event logs to see the logon type being
generated on the DC when you do the bind from LDP. It should be a "3" if I
remember the enumeration values correctly.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Greg" <Greg@live.com> wrote in message
news:OV6E16fCKHA.5040@TK2MSFTNGP04.phx.gbl...
I have seen in my lab that when a user account with Logon Workstations
restriction set to a specific workstation tries to do a bind to the DC
(using LDP) from that workstation, the bind request fails...I want to know:
1. Is the user account which is doing a bind using Interactive Login to the
DC?
2. How can this be avoided and still allow the user to bind to the DC?

==============
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
'caterpiller'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090304: LdapErr: DSID-0C09043E, comment:
AcceptSecurityContext error, data 0, vece
============

I have also seen that when i change the credentials option to ldap_bind_s
(128) it succeeds.

=========
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
{NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
'caterpiller'.}
Authenticated as dn:'casual'.
=========

Not sure what that means. I have a couple of questions on that one:
1.From a security perspective what is the difference between 1158 & 128?
2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap
connection string for my application?

Any help will be much appreciated.
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
Sounds like you need to contact the application support team from the
vendor of this program.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Greg" <Greg@live.com> wrote in message
news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
We have users tied to their respective PCs (Logon to Workstations) in
AD. We are now testing a new web based application which queries AD for
authentication. The way it works is:
1.The client provides AD user name and password in the application web
page on his workstation
2.The Credentials are passed onto the application server which inturn
send the same to AD for approval/verification
3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 531, vece. Which denotes a Logon
Workstation Restirction.

Suprising when i add the Domain Controller computer name to the Logon
Workstation list of the application user, the authentication happens fine.

I have seen few articles which say that AD LDAP does not work properly
when Logon Workstations are restricted. I cannot remove the logon
workstation as this is a security mandate, and at the same time we cannot
add DC's as part of the user logon to workstations list.

One of the threads that i have seen on the internet which closely
matches my problem is given below?

====
If the log on to configurations are used openfire cannot authenticate
users unless they are given log on rights to the servers. This may be a bug
in openfire or it may be a bug in the way AD handles LDAP authentication. I
do know it is related to the log on to settings in AD though. take those
away and authentication works fine. Unless your servers are physically
exposed for logon at the server directly this setting is redundant security
http://www.igniterealtime.org/community/thread/37462
====

Is there any workaround or a known fix for this issue??

Regards
Re: AD Authentication [message #158933 is a reply to message #158928] Tue, 21 July 2009 12:14 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I didn't think it did an interactive login but I wasn't 100% positive.
Thanks for jumping in Joe.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:eFuurIhCKHA.4692@TK2MSFTNGP02.phx.gbl...
> It should be doing a Network login, not interactive. If you grant
> workstation login rights to your DCs but don't grant any other logon type
> than network (interactive, batch or service), you should be fine.
>
> You can check the DC security event logs to see the logon type being
> generated on the DC when you do the bind from LDP. It should be a "3" if
> I remember the enumeration values correctly.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> "Greg" <Greg@live.com> wrote in message
> news:OV6E16fCKHA.5040@TK2MSFTNGP04.phx.gbl...
> I have seen in my lab that when a user account with Logon Workstations
> restriction set to a specific workstation tries to do a bind to the DC
> (using LDP) from that workstation, the bind request fails...I want to
> know:
> 1. Is the user account which is doing a bind using Interactive Login to
> the DC?
> 2. How can this be avoided and still allow the user to bind to the DC?
>
> ==============
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
> 'caterpiller'.}
> Error <49>: ldap_bind_s() failed: Invalid Credentials.
> Server error: 80090304: LdapErr: DSID-0C09043E, comment:
> AcceptSecurityContext error, data 0, vece
> ============
>
> I have also seen that when i change the credentials option to ldap_bind_s
> (128) it succeeds.
>
> =========
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
> 'caterpiller'.}
> Authenticated as dn:'casual'.
> =========
>
> Not sure what that means. I have a couple of questions on that one:
> 1.From a security perspective what is the difference between 1158 & 128?
> 2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap
> connection string for my application?
>
> Any help will be much appreciated.
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
> Sounds like you need to contact the application support team from the
> vendor of this program.
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Greg" <Greg@live.com> wrote in message
> news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
> We have users tied to their respective PCs (Logon to Workstations) in
> AD. We are now testing a new web based application which queries AD for
> authentication. The way it works is:
> 1.The client provides AD user name and password in the application web
> page on his workstation
> 2.The Credentials are passed onto the application server which inturn
> send the same to AD for approval/verification
> 3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334,
> comment: AcceptSecurityContext error, data 531, vece. Which denotes a
> Logon Workstation Restirction.
>
> Suprising when i add the Domain Controller computer name to the Logon
> Workstation list of the application user, the authentication happens fine.
>
> I have seen few articles which say that AD LDAP does not work properly
> when Logon Workstations are restricted. I cannot remove the logon
> workstation as this is a security mandate, and at the same time we cannot
> add DC's as part of the user logon to workstations list.
>
> One of the threads that i have seen on the internet which closely
> matches my problem is given below?
>
> ====
> If the log on to configurations are used openfire cannot authenticate
> users unless they are given log on rights to the servers. This may be a
> bug in openfire or it may be a bug in the way AD handles LDAP
> authentication. I do know it is related to the log on to settings in AD
> though. take those away and authentication works fine. Unless your
> servers are physically exposed for logon at the server directly this
> setting is redundant security
> http://www.igniterealtime.org/community/thread/37462
> ====
>
> Is there any workaround or a known fix for this issue??
>
> Regards
>
Re: AD Authentication [message #158937 is a reply to message #158928] Tue, 21 July 2009 13:44 Go to previous messageGo to next message
Greg  is currently offline Greg  Netherlands
Messages: 172
Registered: July 2009
Senior Member
When you say grant workstation login rights to your DCs, you mean add the DC
to the Logon Wrokstation in a user properties?? I have seen that works?? but
dont really understand what it means?
From a security perspective, is that not a problem to add a DC to the list
of login workstations to a user account?

Is there any other method using which we cxan get this working??

If the type of authentication is Network Authetication, it should have
worked because Autheticated Users have been given the right to access the dc
from the network



"Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
news:eFuurIhCKHA.4692@TK2MSFTNGP02.phx.gbl...
> It should be doing a Network login, not interactive. If you grant
> workstation login rights to your DCs but don't grant any other logon type
> than network (interactive, batch or service), you should be fine.
>
> You can check the DC security event logs to see the logon type being
> generated on the DC when you do the bind from LDP. It should be a "3" if
> I remember the enumeration values correctly.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> "Greg" <Greg@live.com> wrote in message
> news:OV6E16fCKHA.5040@TK2MSFTNGP04.phx.gbl...
> I have seen in my lab that when a user account with Logon Workstations
> restriction set to a specific workstation tries to do a bind to the DC
> (using LDP) from that workstation, the bind request fails...I want to
> know:
> 1. Is the user account which is doing a bind using Interactive Login to
> the DC?
> 2. How can this be avoided and still allow the user to bind to the DC?
>
> ==============
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
> 'caterpiller'.}
> Error <49>: ldap_bind_s() failed: Invalid Credentials.
> Server error: 80090304: LdapErr: DSID-0C09043E, comment:
> AcceptSecurityContext error, data 0, vece
> ============
>
> I have also seen that when i change the credentials option to ldap_bind_s
> (128) it succeeds.
>
> =========
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
> 'caterpiller'.}
> Authenticated as dn:'casual'.
> =========
>
> Not sure what that means. I have a couple of questions on that one:
> 1.From a security perspective what is the difference between 1158 & 128?
> 2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap
> connection string for my application?
>
> Any help will be much appreciated.
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
> Sounds like you need to contact the application support team from the
> vendor of this program.
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Greg" <Greg@live.com> wrote in message
> news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
> We have users tied to their respective PCs (Logon to Workstations) in
> AD. We are now testing a new web based application which queries AD for
> authentication. The way it works is:
> 1.The client provides AD user name and password in the application web
> page on his workstation
> 2.The Credentials are passed onto the application server which inturn
> send the same to AD for approval/verification
> 3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334,
> comment: AcceptSecurityContext error, data 531, vece. Which denotes a
> Logon Workstation Restirction.
>
> Suprising when i add the Domain Controller computer name to the Logon
> Workstation list of the application user, the authentication happens fine.
>
> I have seen few articles which say that AD LDAP does not work properly
> when Logon Workstations are restricted. I cannot remove the logon
> workstation as this is a security mandate, and at the same time we cannot
> add DC's as part of the user logon to workstations list.
>
> One of the threads that i have seen on the internet which closely
> matches my problem is given below?
>
> ====
> If the log on to configurations are used openfire cannot authenticate
> users unless they are given log on rights to the servers. This may be a
> bug in openfire or it may be a bug in the way AD handles LDAP
> authentication. I do know it is related to the log on to settings in AD
> though. take those away and authentication works fine. Unless your
> servers are physically exposed for logon at the server directly this
> setting is redundant security
> http://www.igniterealtime.org/community/thread/37462
> ====
>
> Is there any workaround or a known fix for this issue??
>
> Regards
>
Re: AD Authentication [message #158977 is a reply to message #158937] Wed, 22 July 2009 10:14 Go to previous message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
My understanding of how this works is that if you are using workstation
logon restrictions, a user cannot perform a logon operation to a machine
unless the machine appears in the user's approved list. This includes ANY
type of logon operation (network, batch, interactive, etc.). The problem
comes in that some types of LDAP bind operations result in an NTLM
authentication being performed at the DC itself and the workstation logon
restriction being applied there.

The only way I can see this working would be:
- Stop using workstation logon restrictions
- Grant logon restriction rights to the DCs
- Stop using the thing that generates the logon event on the DCs

I'm not a huge fan of workstation logon restrictions as it seems like this
is something that might be done better by simply restricting interactive
logon rights to the workstation instead but there might not be as
straightforward a way to manage that. I'm not much of a GPO/restricted
groups guy at all, so I don't have a good recommendation.

If you did add your DCs to the logon restriction list, I don't see how this
places much additional risk to the DCs since the user will not have
interactive logon rights to the DC so perhaps that solution is reasonable.

Best of luck!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Greg" <Greg@live.com> wrote in message
news:uf$rbriCKHA.528@TK2MSFTNGP03.phx.gbl...
> When you say grant workstation login rights to your DCs, you mean add the
> DC to the Logon Wrokstation in a user properties?? I have seen that
> works?? but dont really understand what it means?
> From a security perspective, is that not a problem to add a DC to the list
> of login workstations to a user account?
>
> Is there any other method using which we cxan get this working??
>
> If the type of authentication is Network Authetication, it should have
> worked because Autheticated Users have been given the right to access the
> dc from the network
>
>
>
> "Joe Kaplan" <joseph.e.kaplan@removethis.accenture.com> wrote in message
> news:eFuurIhCKHA.4692@TK2MSFTNGP02.phx.gbl...
>> It should be doing a Network login, not interactive. If you grant
>> workstation login rights to your DCs but don't grant any other logon type
>> than network (interactive, batch or service), you should be fine.
>>
>> You can check the DC security event logs to see the logon type being
>> generated on the DC when you do the bind from LDP. It should be a "3" if
>> I remember the enumeration values correctly.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Greg" <Greg@live.com> wrote in message
>> news:OV6E16fCKHA.5040@TK2MSFTNGP04.phx.gbl...
>> I have seen in my lab that when a user account with Logon Workstations
>> restriction set to a specific workstation tries to do a bind to the DC
>> (using LDP) from that workstation, the bind request fails...I want to
>> know:
>> 1. Is the user account which is doing a bind using Interactive Login to
>> the DC?
>> 2. How can this be avoided and still allow the user to bind to the DC?
>>
>> ==============
>> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
>> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
>> 'caterpiller'.}
>> Error <49>: ldap_bind_s() failed: Invalid Credentials.
>> Server error: 80090304: LdapErr: DSID-0C09043E, comment:
>> AcceptSecurityContext error, data 0, vece
>> ============
>>
>> I have also seen that when i change the credentials option to ldap_bind_s
>> (128) it succeeds.
>>
>> =========
>> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 128); // v.3
>> {NtAuthIdentity: User='casual'; Pwd= <unavailable>; domain =
>> 'caterpiller'.}
>> Authenticated as dn:'casual'.
>> =========
>>
>> Not sure what that means. I have a couple of questions on that one:
>> 1.From a security perspective what is the difference between 1158 & 128?
>> 2.How can i use ldap_bind_s (ld, NULL, &NtAuthIdentity, 128); in a ldap
>> connection string for my application?
>>
>> Any help will be much appreciated.
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:uSwa8LTCKHA.3556@TK2MSFTNGP04.phx.gbl...
>> Sounds like you need to contact the application support team from the
>> vendor of this program.
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Greg" <Greg@live.com> wrote in message
>> news:e45d6vPCKHA.5068@TK2MSFTNGP03.phx.gbl...
>> We have users tied to their respective PCs (Logon to Workstations) in
>> AD. We are now testing a new web based application which queries AD for
>> authentication. The way it works is:
>> 1.The client provides AD user name and password in the application web
>> page on his workstation
>> 2.The Credentials are passed onto the application server which inturn
>> send the same to AD for approval/verification
>> 3.The Credentials fail with ldap error code:LdapErr: DSID-0C090334,
>> comment: AcceptSecurityContext error, data 531, vece. Which denotes a
>> Logon Workstation Restirction.
>>
>> Suprising when i add the Domain Controller computer name to the Logon
>> Workstation list of the application user, the authentication happens
>> fine.
>>
>> I have seen few articles which say that AD LDAP does not work properly
>> when Logon Workstations are restricted. I cannot remove the logon
>> workstation as this is a security mandate, and at the same time we cannot
>> add DC's as part of the user logon to workstations list.
>>
>> One of the threads that i have seen on the internet which closely
>> matches my problem is given below?
>>
>> ====
>> If the log on to configurations are used openfire cannot authenticate
>> users unless they are given log on rights to the servers. This may be a
>> bug in openfire or it may be a bug in the way AD handles LDAP
>> authentication. I do know it is related to the log on to settings in AD
>> though. take those away and authentication works fine. Unless your
>> servers are physically exposed for logon at the server directly this
>> setting is redundant security
>> http://www.igniterealtime.org/community/thread/37462
>> ====
>>
>> Is there any workaround or a known fix for this issue??
>>
>> Regards
>>
>
>
Previous Topic:help me please
Next Topic:Password/Confirmation to delete Network Folders/Files?
Goto Forum:
  


Current Time: Wed Oct 18 01:39:08 EDT 2017

Total time taken to generate the page: 0.03345 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software