LDAP authentication works with DN but not with CN of AD - active-directory

Recently I had to interact with an application that interacts with 2 ADs on host1 and host2. I find that ldap connections have been failing when connecting to 1 of the hosts. The error looks like this:
Connection to 'LDAP://[host1]/RootDSE' failed.
System.DirectoryServices.DirectoryServicesCOMException (0x8007052E):
Logon failure: unknown user name or bad password.
For troubleshooting purposes I installed Apache Directory tool and different CN/DN combinations and my observations are:
when connecting to host1 with the CN (in this case, Administrator) /[password], I get the following error when fetching base DNs:
Error while fetching base DNs
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
when connecting to host1 with the distinguished name for Administrator and same password, I am able to successfully retrieve base DNs
when connecting to host2 with just the CN (Administrator again) /, I can successfully retrieve the list of base DNs.
So my question is, are there AD settings I can set to allow authentication using just CN instead of the full DN?
I'm completely new to AD, so if there are things I can supply in my question to make it better for people browsing for similar issues, please let me know. Thanks.

What are host1 and host2 - are they different Domain Controllers (DC) for the same domain or are they for different domains? From what you are explaining they seem to be for different domains if that is the case, then host2 simply have different Administrator with different password.
To answer your questions directly. AD allows CN to be used for user logon if and only if the given CN is unique. So there is no need to make any configuration for that.
However there are a number of other ways to login in AD. You can use sAMAccountName or userPrincipalName attributes of the users, these contain the usernames of the user. The first one contains the username from the DOMAIN\username, where the DOMAIN is the AD's NetBIOS domain name (I am not sure that is the exact term, but I am using it for lack of better). The second attribute contains the username in the form username#example.com, where the example.com is usually the AD's DNS domain name (although it can be different).
So if you are searching for something shorter than the DN use one of above.

Related

Unable to obtain dns hostname of active directory domain controller with ntdsa object name while AD Authentication

showing "Unable to obtain dns hostname of active directory domain controller with ntdsa object name" msg while authentication with Active Directory on Windows Server 2012.
It depends on where your DNS is routing you.
Could be as simple as getting your DNS to talk to your server properly / take you to another DC in priority.
Since you just enter "the AD" here... You need to prioties to one DC since you are using more than one DC.
You can also refer this document1 and Document2 for troubleshooting your issue.

ldap queries - need the dn of the users who are authenticated via ldap protocol and their IP address

LDAP/AD Experts,
It might be simple for you but its challenging task for me!.
"ldap queries - need the dn of the users who are authenticated via ldap protocol and their IP address"
We are migrating authentication out of AD/LDAP.
We’re looking to migrate applications that are directly using AD for employees.
Its not specific to OU and Group but overall active directory.
We have plenty of applications which uses AD/LDAP for authentication.
How do I pull such data? At least need to have user details.
Getting the DN of a user is easy with any ldapsearch utility.
There is no method to obtain "the users who are authenticated" from LDAP. You could find the "time" a user did last Authenticate, regardless of how, from the lastLogon or LastLogonTimeStamp.
Generally, the IP Address of the user is not available as part of the user entry within Microsoft Active Directory.
You might be able to obtain this from some power-shell script, but I was unable to find anything from a quick search.

kinit(v5): Client not found in Kerberos database while getting initial credentials

I'm working on configuring SSO in obiee 11.1.1.7.14, where in which I'm facing issue in the step while configuring krb5.conf and executing the kinit command.
few notes regarding the Active Directory
we have more than one domain controller and to balance the request we are maintaing the load balancer with port 3269.
And the integration between obiee and MSAD is successfully done with the load balancer name as host and port as 3269.
and few certificates have been added in the demotrust.jks and to the ovd store and SSL is enabled in the new provider.
Keytab file generated and placed in obiee domain home, krb5.conf and krb5Login.conf file modified accordingly.
I have created the keytab file and placed it in the obiee domain home, then modified the krb5.conf by keeping kdc as the one of the ip address of the domain controller and admin-server as the name of the domain controller. And while executing the
kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name
i have got and error "kinit(v5): Client not found in Kerberos database while getting initial credentials" . Please share your ideas/suggestions to solve this issue.
thanks in advance
We have a Active Directory server where 2 domain controllers are used for it. And a load balancer with port 3269 is used to connect to the Active directory from OBIEE and similar connections can be used in the krb5.conf and where ever required.
And consider the base domain as DOM1 and all our groups are created under sub-domain SUBDOM. So the SPN is set at the SUBDOM.DOM1.COM.
Here are the few suggestions we have followed to integrate AD with OBIEE and Solved the most of the kinit issues
Instead of specifying the principal name with the absolute path, just mention with the accout_name#FullyQualifiedDomainName.
Changes in KRB5.conf
Since the attribute "crypto" is specified as "all" while creating keytab and setting the SPN, all the encryption types which is present in the keytab file as to be mentioned in the krb5.conf (default_tkt_enctypes and default_tgs_enctypes).
Have included the primary domain controller IP address for the attribute kdc in [realms] section, this will be same as Michael-O specified in point 2.
in [domain_realm] of krb5.conf keep as .subdom.dom1.com=DOM1.COM.
include the host name of load balancer name in the admin_server attribute of [realms] section in krb5.conf
Once all the above changes are done, most of the kinit issues would be solved and the kinit command will be executed successfully by creating the initial ticket in the desired directory.
First of all, this is serverfault.
3269 is not Kerberos, this is SSL-backed global catalog. Pure LDAP not Kerberos. Not interesting here.
Do not put KDC IP addresses in the krb5.conf but rather rely on DNS SRV records just like Windows does.
You cannot kinit with a SPN. kinit expects a UPN (from AD) from the keytab. Something like accountname$#EXAMPLE.COM if this is a machine account. Always remember, a SPN is always bound to some account, whether machine or functional.

Login with ADFS on AD with one way cross forest trust

We have one domain with trust (not-transitive) to two other domains. The base domain user can login without any problems, but the users from other domains cannot.
We get exception from ADFS like this:
The Federation Service encountered an error during an attempt to
connect to a LDAP server at {trusted domain}.
Additional Data Domain Name: {trusted domain} LDAP server hostname:
{trusted domain dc} Error from LDAP server: Exception Details: A
local error occurred.
User Action Check the network connectivity to the LDAP server. Also,
check whether the LDAP server is configured properly.
After reserching we found out, it's the one-way trust problem. The problem is, we don't have any posibility to change the trust configuration or to set up other ADFS on trusted domains.
Is there some possibility to get it to work? Maybe some work around solution?
Is it possible to change the FormSignin page, search the user manualy with DirectoryServices and manualy create the token?
Thanks All!
Not sure if there's a way to do it if you keep your ADFS service account in the trusting domain (in a one-way trust scenario). You would need to allow that account to be able to query LDAP in the trusted domain, which would usually mean a two-way trust.
Absent that, you may try to setup use an ADFS service account from the trusted domain. Of course, this would only work for one of your domains (unless the two other domains have trusts between themselves).

Active Directory Login Problem

I have 2 users in my AD installation with the same CN
CN=jack,CN=Users,DC=xyz,DC=com and
CN=jack,OU=abc,DC=xyz,DC=com
When I try to authenticate to the AD Server using the Apache Directory Studio client and give the following credentials
User: jack
Password: <password>
the authentication fails. The following credentials work
User: CN=jack,CN=Users,DC=xyz,DC=com
Passwprd: <password>
When I have only a single user CN=tom,DC=xyz,DC=com with a given CN
I am able to login with
User: tom
Password: <password>
without having to specify the entire DN (CN=tom,DC=xyz,DC=com) .
I need to write a module to authenticate users against an AD installation. I have with me only the usernames and passwords and not the fully qualified BASE DNs. I cannot bind to the AD server to be able to use filters like (&(objectCategory=person)(objectClass=user)(sAMAccountName=jack)). How do I do this as the problem it seems happens when there are more than one user with the same CN ?
EDIT: Can I configure the AD server to bind against mail address/sAMAccountName of the users instead of CN ? This would solve my problem as these are unique while CN's are not
I found the attribute I was looking for --> userPrincipalName (UPN) . This has a unique value in Active Directory and can be supplied as the user name while attempting to authenticate. So now I need a list of UPNs and the corresponding passwords for login.
Check here too.
What kind of login are you doing in your 'module'? If you cannot bind and do an ldap query, then what interface are you logging in with? You need to configure whatever that is to use sAMAccountName as that is the only guarenteed unique per domain name. Of course if you have more than one domain in the forest then they only have to be unique per domain, so that may not work so well.
If you are only able to do an LDAP bind as the user, and not query. Perhaps you could try to connect as sAMAccountname=jack as you pass credentails.

Resources