Solved

Why can't I BIND to Active Directory when connecting via a DNS alias rather than the real server name?

Posted on 2009-04-08
5
1,577 Views
Last Modified: 2013-12-24
Greetings -

I have a DNS alias configured to point to a specific Domain Controller in my environment.  I use this alias to allow me to repoint applications to another DC if I forsee a down time.  I recently discovered though that I cannot initiate a BIND session with Active Directory if I attempt to use that alias.

Let us say the alias' name is "PrimaryLDAP" and the real DC server name is "RealDCName".

If I use ldp.exe to connect to "PrimaryLDAP", I get a connection just fine.  When I attempt to BIND with my credentials, I receive the following error:
---
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
      {NtAuthIdentity: User='MyUserName'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
---

However, if I connect directly to "RealDCName", I am able to BIND just fine.  I did some searching online and this appears to be a common issue.  BIND-ing to a DC via a DNS resolved alias seems to throw an Invalid Credentials error as you can see above.

What can I do to remedy this?  Any ideas?

I'm wondering if a certificate needs to be generated somewhere or I'm experiencing a potential issue with SPNs.
0
Comment
Question by:amendala
  • 3
  • 2
5 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24099245
well this is kerberos, you have to use the computer name registered in AD
0
 

Author Comment

by:amendala
ID: 24099589
Unfortunately, that doesn't provide me any specifics, nor does it address my question.  I'm aware that the authentication is using Kerberos but the statement that the computer name registered in AD is required is incorrect.  Authentication referrals via a secondary name are quite common.

Kerberos relies on certificates, tokens, service principal names, etc.  I would think there must be a way to configure either a wildcard cert. or perhaps a manual SPN to allow such authentications to take place.

It is that feedback I'm searching for.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099648
I am sorry it does address your question, authentication via secondary name are common with web servers etc... not with AD


I have no documents to backup my saying but  I am sure some book guru will give you a link or an article to read
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099673
by the way you can do that using the setspn.exe (unless I'm mistaken) tool but i haven't used it in a long time a quick search will give you results

BTW the kerberos ticket does contain the
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 24132812
This is an issue with SPN resolution.  The error only occurs when I try to BIND to a DC when I'm logged into that DC.  An SPN resolution loop issue occurs and Kerberos is unable to authenticate.

If a manual SPN is created using the DNS alias, apparently this problem disappears.  Programmers using ADAM technologies have experienced this, there is an article on the web about it.

Using an alias for binding works just fine when I'm on another computer but when I'm on the DC itself, there's a self-referencing conflict.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question