Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » ADAM Kerberos Authentication issue and missing SPNs
ADAM Kerberos Authentication issue and missing SPNs [message #372714] Wed, 20 January 2010 08:21 Go to next message
mbenson  is currently offline mbenson  United States
Messages: 2
Registered: January 2010
Junior Member
Hi,

I'm hoping someone can help me with a difficult Kerberos authentication
failure with Microsoft ADAM (and AD LDS). I think it's a bug to do with
Kerberos SPNs and it's very easy to reproduce.

This problem only happens on a server whos computer fqdn ends in a dot.
Unusual I know but we have customers set up like this so I need a
workaround for it. ( I have to deal with Murphy's Law!).

My Server is Windows Server 2003 (called SERVER1) and it is joined to
an AD domain (called DOMAIN1).

To reproduce this problem I do the following:

In "Control Panel > System > Computer Name > Change > More > Primary
DNS suffix of this computer:" I set the suffix to "domain1.int." (note
the dot at the end of this name).

Computername: SERVER1
Domain: DOMAIN1
Computer FQDN: server1.domain1.int. (note this ends in a dot).

I install an ADAM instance using all defaults then using LDP.EXE do:

"Connect > Connection" and specify "localhost". This works. It shows
the dnsHostName attribute value as "server1.domain1.int.".
"Connection > Bind... > Bind as currently logged on user". This fails
with:


0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>;
domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed

Note that if I specify 127.0.0.1 instead of localhost in the LDP
Connect, the bind works. Also if my server fqdn name does not end in a
dot it also works.

localhost resolves to "server1.domain1.int." ending in a dot.

127.0.0.1 is the only thing that works. Specifying the NETBIOS name or
the fgdn of the server also fails.

Note that if when installing the ADAM instance, you also specify that
you want the LDIF files to be loaded then the installer fails to do this
puttuing up a
prompt for credentials which you can't get past. This allows the
problem to be reproduced even without using LDP.

I think the bug is to do with the ADAM installer not setting up the
SPNs correctly in this situation. I'd like to implement a workaround
when I detect that the fqdn ends in a dot by setting up the appropriate
SPNs in my installer with setspn.exe before running the ADAM installer.

I have tried the following setspn commands to add the proper fqdn SPNs
before installing the ADAM instance but so far I still haven't been able
to get this to work. I will actually use DsWriteAccountSpn() from an
installer
DLL to do this but I want to verify the workaround first with
setspn.exe.

setspn -A host/server1.domain1.int SERVER1
setspn -A host/server1.domain1.int. SERVER1
setspn -A ldap/server1.domain1.int SERVER1
setspn -A ldap/server1.domain1.int. SERVER1
setspn -A ldap/server1. SERVER1
setspn -A ldap/server1.:389 SERVER1
setspn -A ldap/server1.domain1.int.:389 SERVER1

I know for replication I will also need
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM SPNs but I've left those out
for now.

I have verified that these SPNs do get updated in the machine's
Computer account in AD and that "setspn -L SERVER1" lists them.

I'm sure I'm on the right lines with this but probably because I'm
doing something wrong here it still isn't working.

"ping localhost" shows that localhost resolves to
"server1.domain1.int.".

We use ADAM as part of our product and have a great experience with it
so I'm really hoping I can find the workaround to this problem.

If anyone has any ideas on how to trace this to perhaps see what the
missing SPN entry is, that'd also be helpful. I've set all the registry
"Diagnostics" values to 5 to get Event Log tracing, but that hasn't
heped me.

Thanks!

Mark.


--
mbenson
------------------------------------------------------------ ------------
mbenson's Profile: http://forums.techarena.in/members/25050.htm
View this thread: http://forums.techarena.in/active-directory/1294677.htm

http://forums.techarena.in
Re: ADAM Kerberos Authentication issue and missing SPNs [message #372864 is a reply to message #372714] Wed, 20 January 2010 12:14 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Any interesting errors in the event log related to the auth failure? This
looks like more of a kerb problem than an ADAM problem, but it is hard to
say.

The other thing I'd probably try to do is get a network sniff of the LDAP
traffic to see what Kerb protocol traffic is generated, specifically the
service ticket request for the LDAP server associated with the bind
operation. This might help explain what's going on.

It is also possible that the bug is in the Windows LDAP client in terms of
how it is implementing negotiate auth during the bind operation, but who
really knows.

Interesting problem. I hope you can find the solution.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"mbenson" <mbenson.453ifd@DoNotSpam.com> wrote in message
news:mbenson.453ifd@DoNotSpam.com...
>
> Hi,
>
> I'm hoping someone can help me with a difficult Kerberos authentication
> failure with Microsoft ADAM (and AD LDS). I think it's a bug to do with
> Kerberos SPNs and it's very easy to reproduce.
>
> This problem only happens on a server whos computer fqdn ends in a dot.
> Unusual I know but we have customers set up like this so I need a
> workaround for it. ( I have to deal with Murphy's Law!).
>
> My Server is Windows Server 2003 (called SERVER1) and it is joined to
> an AD domain (called DOMAIN1).
>
> To reproduce this problem I do the following:
>
> In "Control Panel > System > Computer Name > Change > More > Primary
> DNS suffix of this computer:" I set the suffix to "domain1.int." (note
> the dot at the end of this name).
>
> Computername: SERVER1
> Domain: DOMAIN1
> Computer FQDN: server1.domain1.int. (note this ends in a dot).
>
> I install an ADAM instance using all defaults then using LDP.EXE do:
>
> "Connect > Connection" and specify "localhost". This works. It shows
> the dnsHostName attribute value as "server1.domain1.int.".
> "Connection > Bind... > Bind as currently logged on user". This fails
> with:
>
>
> 0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
> {NtAuthIdentity: User='NULL'; Pwd= <unavailable>;
> domain = 'NULL'.}
> Error <49>: ldap_bind_s() failed: Invalid Credentials.
> Server error: 8009030C: LdapErr: DSID-0C090441, comment:
> AcceptSecurityContext error, data 52e, vece
> Error 0x8009030C The logon attempt failed
>
> Note that if I specify 127.0.0.1 instead of localhost in the LDP
> Connect, the bind works. Also if my server fqdn name does not end in a
> dot it also works.
>
> localhost resolves to "server1.domain1.int." ending in a dot.
>
> 127.0.0.1 is the only thing that works. Specifying the NETBIOS name or
> the fgdn of the server also fails.
>
> Note that if when installing the ADAM instance, you also specify that
> you want the LDIF files to be loaded then the installer fails to do this
> puttuing up a
> prompt for credentials which you can't get past. This allows the
> problem to be reproduced even without using LDP.
>
> I think the bug is to do with the ADAM installer not setting up the
> SPNs correctly in this situation. I'd like to implement a workaround
> when I detect that the fqdn ends in a dot by setting up the appropriate
> SPNs in my installer with setspn.exe before running the ADAM installer.
>
> I have tried the following setspn commands to add the proper fqdn SPNs
> before installing the ADAM instance but so far I still haven't been able
> to get this to work. I will actually use DsWriteAccountSpn() from an
> installer
> DLL to do this but I want to verify the workaround first with
> setspn.exe.
>
> setspn -A host/server1.domain1.int SERVER1
> setspn -A host/server1.domain1.int. SERVER1
> setspn -A ldap/server1.domain1.int SERVER1
> setspn -A ldap/server1.domain1.int. SERVER1
> setspn -A ldap/server1. SERVER1
> setspn -A ldap/server1.:389 SERVER1
> setspn -A ldap/server1.domain1.int.:389 SERVER1
>
> I know for replication I will also need
> E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM SPNs but I've left those out
> for now.
>
> I have verified that these SPNs do get updated in the machine's
> Computer account in AD and that "setspn -L SERVER1" lists them.
>
> I'm sure I'm on the right lines with this but probably because I'm
> doing something wrong here it still isn't working.
>
> "ping localhost" shows that localhost resolves to
> "server1.domain1.int.".
>
> We use ADAM as part of our product and have a great experience with it
> so I'm really hoping I can find the workaround to this problem.
>
> If anyone has any ideas on how to trace this to perhaps see what the
> missing SPN entry is, that'd also be helpful. I've set all the registry
> "Diagnostics" values to 5 to get Event Log tracing, but that hasn't
> heped me.
>
> Thanks!
>
> Mark.
>
>
> --
> mbenson
> ------------------------------------------------------------ ------------
> mbenson's Profile: http://forums.techarena.in/members/25050.htm
> View this thread: http://forums.techarena.in/active-directory/1294677.htm
>
> http://forums.techarena.in
>
Re: ADAM Kerberos Authentication issue and missing SPNs [message #373078 is a reply to message #372864] Wed, 20 January 2010 15:15 Go to previous messageGo to next message
mbenson  is currently offline mbenson  United States
Messages: 2
Registered: January 2010
Junior Member
Hi Joe,

Thanks for the quick response.

It is Kerberos related, but I'm convinced this is an ADAM installer
problem. It's reproducable with just adaminstall.exe.

No. Nothing in the Event logs for this.

It's reprodicable also with LDP.EXE as well so I'll take your advice
and try LDP.EXE remotely to "sniff" the interaction for clues.

Mark.


--
mbenson
------------------------------------------------------------ ------------
mbenson's Profile: http://forums.techarena.in/members/25050.htm
View this thread: http://forums.techarena.in/active-directory/1294681.htm

http://forums.techarena.in
Re: ADAM Kerberos Authentication issue and missing SPNs [message #373624 is a reply to message #373078] Thu, 21 January 2010 05:09 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Ugh, I have not tried a repro but perhaps it might be a canonicalization
issue.
What do userPrincipal names in the domain with a trailing dot look like?

Thanks
Lee Flight

"mbenson" <mbenson.453z3a@DoNotSpam.com> wrote in message
news:mbenson.453z3a@DoNotSpam.com...
>
> Hi Joe,
>
> Thanks for the quick response.
>
> It is Kerberos related, but I'm convinced this is an ADAM installer
> problem. It's reproducable with just adaminstall.exe.
>
> No. Nothing in the Event logs for this.
>
> It's reprodicable also with LDP.EXE as well so I'll take your advice
> and try LDP.EXE remotely to "sniff" the interaction for clues.
>
> Mark.
>
>
> --
> mbenson
> ------------------------------------------------------------ ------------
> mbenson's Profile: http://forums.techarena.in/members/25050.htm
> View this thread: http://forums.techarena.in/active-directory/1294681.htm
>
> http://forums.techarena.in
>
Re: ADAM Kerberos Authentication issue and missing SPNs [message #376375 is a reply to message #373078] Mon, 25 January 2010 02:28 Go to previous messageGo to next message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi.

I have not been able to reproduce this problem. I tried a WS03SP2 DC with
an WS03SP2 member server running ADAM (1..1.3790.4503). I added
a dot to the "Computer FQDN" as below, this prompted for a restart which
I performed, the server was already running a bunch of ADAM instances all
of which showed the trailing dot dnsHostName in the rootDSE updated. The SCP
entries against the ADAM instances for the member server computer account
got
updated OK. The SPNs against the member server account did not show as
having a
trailing dot.

I then tried installing a further ADAM instance using adaminstall
interactively ran through the wizard and then attempted a bind using ldp.exe
"Bind as
currently logged on user" that also worked OK. Again no trailing dot on the
SPNs.

What account do you use for the install and the bind attempt?
When your ldp bind fails do you get anything in the security event log
on the member server or the DC(s) for the domain, you would need
to be auditing logon events for Failure in the DC security policy.

Thanks
Lee Flight
Re: ADAM Kerberos Authentication issue and missing SPNs [message #376387 is a reply to message #372714] Mon, 25 January 2010 03:28 Go to previous message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi.

I have not been able to reproduce this problem. I tried a WS03SP2 DC with
an WS03SP2 member server running ADAM (1..1.3790.4503). I added
a dot to the "Computer FQDN" as below, this prompted for a restart which
I performed, the server was already running a bunch of ADAM instances all
of which showed the trailing dot dnsHostName in the rootDSE updated. The SCP
entries against the ADAM instances for the member server computer account
got
updated OK. The SPNs against the member server account did not show as
having a
trailing dot.

I then tried installing a further ADAM instance using adaminstall
interactively ran through the wizard and then attempted a bind using ldp.exe
"Bind as
currently logged on user" that also worked OK. Again no trailing dot on the
SPNs.

What account do you use for the install and the bind attempt?
When your ldp bind fails do you get anything in the security event log
on the member server or the DC(s) for the domain, you would need
to be auditing logon events for Failure in the DC security policy.

Thanks
Lee Flight

"mbenson" <mbenson.453ifd@DoNotSpam.com> wrote in message
news:mbenson.453ifd@DoNotSpam.com...
>
> Hi,
>
> I'm hoping someone can help me with a difficult Kerberos authentication
> failure with Microsoft ADAM (and AD LDS). I think it's a bug to do with
> Kerberos SPNs and it's very easy to reproduce.
>
> This problem only happens on a server whos computer fqdn ends in a dot.
> Unusual I know but we have customers set up like this so I need a
> workaround for it. ( I have to deal with Murphy's Law!).
>
> My Server is Windows Server 2003 (called SERVER1) and it is joined to
> an AD domain (called DOMAIN1).
>
> To reproduce this problem I do the following:
>
> In "Control Panel > System > Computer Name > Change > More > Primary
> DNS suffix of this computer:" I set the suffix to "domain1.int." (note
> the dot at the end of this name).
>
> Computername: SERVER1
> Domain: DOMAIN1
> Computer FQDN: server1.domain1.int. (note this ends in a dot).
>
> I install an ADAM instance using all defaults then using LDP.EXE do:
>
> "Connect > Connection" and specify "localhost". This works. It shows
> the dnsHostName attribute value as "server1.domain1.int.".
> "Connection > Bind... > Bind as currently logged on user". This fails
> with:
>
>
> 0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
> res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
> {NtAuthIdentity: User='NULL'; Pwd= <unavailable>;
> domain = 'NULL'.}
> Error <49>: ldap_bind_s() failed: Invalid Credentials.
> Server error: 8009030C: LdapErr: DSID-0C090441, comment:
> AcceptSecurityContext error, data 52e, vece
> Error 0x8009030C The logon attempt failed
>
> Note that if I specify 127.0.0.1 instead of localhost in the LDP
> Connect, the bind works. Also if my server fqdn name does not end in a
> dot it also works.
>
> localhost resolves to "server1.domain1.int." ending in a dot.
>
> 127.0.0.1 is the only thing that works. Specifying the NETBIOS name or
> the fgdn of the server also fails.
>
> Note that if when installing the ADAM instance, you also specify that
> you want the LDIF files to be loaded then the installer fails to do this
> puttuing up a
> prompt for credentials which you can't get past. This allows the
> problem to be reproduced even without using LDP.
>
> I think the bug is to do with the ADAM installer not setting up the
> SPNs correctly in this situation. I'd like to implement a workaround
> when I detect that the fqdn ends in a dot by setting up the appropriate
> SPNs in my installer with setspn.exe before running the ADAM installer.
>
> I have tried the following setspn commands to add the proper fqdn SPNs
> before installing the ADAM instance but so far I still haven't been able
> to get this to work. I will actually use DsWriteAccountSpn() from an
> installer
> DLL to do this but I want to verify the workaround first with
> setspn.exe.
>
> setspn -A host/server1.domain1.int SERVER1
> setspn -A host/server1.domain1.int. SERVER1
> setspn -A ldap/server1.domain1.int SERVER1
> setspn -A ldap/server1.domain1.int. SERVER1
> setspn -A ldap/server1. SERVER1
> setspn -A ldap/server1.:389 SERVER1
> setspn -A ldap/server1.domain1.int.:389 SERVER1
>
> I know for replication I will also need
> E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM SPNs but I've left those out
> for now.
>
> I have verified that these SPNs do get updated in the machine's
> Computer account in AD and that "setspn -L SERVER1" lists them.
>
> I'm sure I'm on the right lines with this but probably because I'm
> doing something wrong here it still isn't working.
>
> "ping localhost" shows that localhost resolves to
> "server1.domain1.int.".
>
> We use ADAM as part of our product and have a great experience with it
> so I'm really hoping I can find the workaround to this problem.
>
> If anyone has any ideas on how to trace this to perhaps see what the
> missing SPN entry is, that'd also be helpful. I've set all the registry
> "Diagnostics" values to 5 to get Event Log tracing, but that hasn't
> heped me.
>
> Thanks!
>
> Mark.
>
>
> --
> mbenson
> ------------------------------------------------------------ ------------
> mbenson's Profile: http://forums.techarena.in/members/25050.htm
> View this thread: http://forums.techarena.in/active-directory/1294677.htm
>
> http://forums.techarena.in
>
Previous Topic:Primary Zone shut down server
Next Topic:Problems with login script
Goto Forum:
  


Current Time: Tue Jan 23 16:25:59 MST 2018

Total time taken to generate the page: 0.26512 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software