Trouble Authenticating users from trusted domains

G

Guest

I have an ERP application that can authenticate users from Active Directory
or LDAP. The problem that I am having is that it does not appear that any
domain information is passed to my DCs or LDAP Server. For example, I can
login and authenticate just fine in the parent domain, but when I try to
login as a user from the child domain, the authentication fails. The only
login information that is entered is the user name, i.e. sjones. Is there a
way or how can Active Directory or LDAP search all of my domains, both parent
and child, for the username to authenticate?
 
P

ptwilliams

In order to successfully logon, you must be able to resolve the _ldap SRV
records.

Ensure that the dsGetDc call is successful by either running nltest
/dsgetdc:domain-name.com or netdiag /test:dsgetdc

Is there a way or how can Active Directory or LDAP search all of my
domains, both parent and child, for the username to authenticate?
Click to expand...

If you're using an LDAP query this is possible through the use of crossRef
objects and LDAP referrals. Although in order for this to work you must
pass the full DN of the domain. If you don't pass the DN, then you'll need
to pass additional info., such as domain name, etc.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

I have an ERP application that can authenticate users from Active Directory
or LDAP. The problem that I am having is that it does not appear that any
domain information is passed to my DCs or LDAP Server. For example, I can
login and authenticate just fine in the parent domain, but when I try to
login as a user from the child domain, the authentication fails. The only
login information that is entered is the user name, i.e. sjones. Is there a
way or how can Active Directory or LDAP search all of my domains, both
parent
and child, for the username to authenticate?
 
G

Guest

I have run these commands and they were successful. Should the Domain
Controllers from the site that this application is located pass the username
 
P

ptwilliams

No, that's the problem -without a DN it won't.

You'll need to 'aim' the request at the appropriate DC.

Can you pass the domain?

Perhaps if you can explain a little more what you are trying to achieve we
can better assist?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

I have run these commands and they were successful. Should the Domain
Controllers from the site that this application is located pass the username
 
G

Guest

That is the problem. We can only pass a maximum of 2 Domains.

We have a new ERP system that can either authenticate with it's own user
database or we can set it up to authenticate via Active Directory. We would
much prefer authenticating via Active Directory as it makes Administration
much easier. In order to set that up, we must edit a properties file from
the application. This file allows you to specify 2 Domain Controllers, or
you can specifiy LDAP. If you specify an LDAP server, these are the
parameters that you can pass:
# comments out the line.

# Logon properties for LDAP/AD
#type:I
dir.logon.ldap.server=
dir.logon.ldap.port=
dir.logon.ldap.top=
dir.logon.ldap.prefix=
dir.logon.ldap.sufix=

Keep in mind that this will work just fine if we are only authenticating a
single Domain's users. The problem comes in because we are a WorldWide
company and have several child and trusted domains.
 
P

ptwilliams

Hmmm...that's a bit of a problem.

The trusted domains are more or less a no go, without being able to
stipulate more than two domains, as referrals and the like are forest
specific (unless you create external crossRef objects).

For the internal referrals (the child domains), you can point everything to
the root and they will get referred but only if the user name is passed with
the details of the domain -at this point I'm not 100% sure whether this has
to be in the format of a DN or if it can be other formats, providing the
domain is passed too. I'm thinking DN only, but I'd have to check my notes.

Have a look at this, and see what you think:
--
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbc_nar_gzoq.asp


(be wary of the line wrap, if any)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

That is the problem. We can only pass a maximum of 2 Domains.

We have a new ERP system that can either authenticate with it's own user
database or we can set it up to authenticate via Active Directory. We would
much prefer authenticating via Active Directory as it makes Administration
much easier. In order to set that up, we must edit a properties file from
the application. This file allows you to specify 2 Domain Controllers, or
you can specifiy LDAP. If you specify an LDAP server, these are the
parameters that you can pass:
# comments out the line.

# Logon properties for LDAP/AD
#type:I
dir.logon.ldap.server=
dir.logon.ldap.port=
dir.logon.ldap.top=
dir.logon.ldap.prefix=
dir.logon.ldap.sufix=

Keep in mind that this will work just fine if we are only authenticating a
single Domain's users. The problem comes in because we are a WorldWide
company and have several child and trusted domains.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Authenticating users in external LDAP 2
run LDAP query agains AD-domain? 1
Q: Authenticate users over domains 1
Access users in multi-domains 1
ActiveDirectory Authenticating WinForms 1
Authenticating Domain Controller 2
Trusted domains 1
parent child user 1

Top