Solved

Why can't I BIND to Active Directory when connecting via a DNS alias rather than the real server name?

Posted on 2009-04-08
5
1,608 Views
Last Modified: 2013-12-24
Greetings -

I have a DNS alias configured to point to a specific Domain Controller in my environment.  I use this alias to allow me to repoint applications to another DC if I forsee a down time.  I recently discovered though that I cannot initiate a BIND session with Active Directory if I attempt to use that alias.

Let us say the alias' name is "PrimaryLDAP" and the real DC server name is "RealDCName".

If I use ldp.exe to connect to "PrimaryLDAP", I get a connection just fine.  When I attempt to BIND with my credentials, I receive the following error:
---
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
      {NtAuthIdentity: User='MyUserName'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
---

However, if I connect directly to "RealDCName", I am able to BIND just fine.  I did some searching online and this appears to be a common issue.  BIND-ing to a DC via a DNS resolved alias seems to throw an Invalid Credentials error as you can see above.

What can I do to remedy this?  Any ideas?

I'm wondering if a certificate needs to be generated somewhere or I'm experiencing a potential issue with SPNs.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24099245
well this is kerberos, you have to use the computer name registered in AD
0
 

Author Comment

by:amendala
ID: 24099589
Unfortunately, that doesn't provide me any specifics, nor does it address my question.  I'm aware that the authentication is using Kerberos but the statement that the computer name registered in AD is required is incorrect.  Authentication referrals via a secondary name are quite common.

Kerberos relies on certificates, tokens, service principal names, etc.  I would think there must be a way to configure either a wildcard cert. or perhaps a manual SPN to allow such authentications to take place.

It is that feedback I'm searching for.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099648
I am sorry it does address your question, authentication via secondary name are common with web servers etc... not with AD


I have no documents to backup my saying but  I am sure some book guru will give you a link or an article to read
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099673
by the way you can do that using the setspn.exe (unless I'm mistaken) tool but i haven't used it in a long time a quick search will give you results

BTW the kerberos ticket does contain the
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 24132812
This is an issue with SPN resolution.  The error only occurs when I try to BIND to a DC when I'm logged into that DC.  An SPN resolution loop issue occurs and Kerberos is unable to authenticate.

If a manual SPN is created using the DNS alias, apparently this problem disappears.  Programmers using ADAM technologies have experienced this, there is an article on the web about it.

Using an alias for binding works just fine when I'm on another computer but when I'm on the DC itself, there's a self-referencing conflict.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question