• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1694
  • Last Modified:

Why can't I BIND to Active Directory when connecting via a DNS alias rather than the real server name?

Greetings -

I have a DNS alias configured to point to a specific Domain Controller in my environment.  I use this alias to allow me to repoint applications to another DC if I forsee a down time.  I recently discovered though that I cannot initiate a BIND session with Active Directory if I attempt to use that alias.

Let us say the alias' name is "PrimaryLDAP" and the real DC server name is "RealDCName".

If I use ldp.exe to connect to "PrimaryLDAP", I get a connection just fine.  When I attempt to BIND with my credentials, I receive the following error:
---
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
      {NtAuthIdentity: User='MyUserName'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
---

However, if I connect directly to "RealDCName", I am able to BIND just fine.  I did some searching online and this appears to be a common issue.  BIND-ing to a DC via a DNS resolved alias seems to throw an Invalid Credentials error as you can see above.

What can I do to remedy this?  Any ideas?

I'm wondering if a certificate needs to be generated somewhere or I'm experiencing a potential issue with SPNs.
0
amendala
Asked:
amendala
  • 3
  • 2
1 Solution
 
AkhaterCommented:
well this is kerberos, you have to use the computer name registered in AD
0
 
amendalaAuthor Commented:
Unfortunately, that doesn't provide me any specifics, nor does it address my question.  I'm aware that the authentication is using Kerberos but the statement that the computer name registered in AD is required is incorrect.  Authentication referrals via a secondary name are quite common.

Kerberos relies on certificates, tokens, service principal names, etc.  I would think there must be a way to configure either a wildcard cert. or perhaps a manual SPN to allow such authentications to take place.

It is that feedback I'm searching for.
0
 
AkhaterCommented:
I am sorry it does address your question, authentication via secondary name are common with web servers etc... not with AD


I have no documents to backup my saying but  I am sure some book guru will give you a link or an article to read
0
 
AkhaterCommented:
by the way you can do that using the setspn.exe (unless I'm mistaken) tool but i haven't used it in a long time a quick search will give you results

BTW the kerberos ticket does contain the
0
 
amendalaAuthor Commented:
This is an issue with SPN resolution.  The error only occurs when I try to BIND to a DC when I'm logged into that DC.  An SPN resolution loop issue occurs and Kerberos is unable to authenticate.

If a manual SPN is created using the DNS alias, apparently this problem disappears.  Programmers using ADAM technologies have experienced this, there is an article on the web about it.

Using an alias for binding works just fine when I'm on another computer but when I'm on the DC itself, there's a self-referencing conflict.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now