Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why can't I BIND to Active Directory when connecting via a DNS alias rather than the real server name?

Posted on 2009-04-08
5
Medium Priority
?
1,651 Views
Last Modified: 2013-12-24
Greetings -

I have a DNS alias configured to point to a specific Domain Controller in my environment.  I use this alias to allow me to repoint applications to another DC if I forsee a down time.  I recently discovered though that I cannot initiate a BIND session with Active Directory if I attempt to use that alias.

Let us say the alias' name is "PrimaryLDAP" and the real DC server name is "RealDCName".

If I use ldp.exe to connect to "PrimaryLDAP", I get a connection just fine.  When I attempt to BIND with my credentials, I receive the following error:
---
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
      {NtAuthIdentity: User='MyUserName'; Pwd= <unavailable>; domain = 'NULL'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
---

However, if I connect directly to "RealDCName", I am able to BIND just fine.  I did some searching online and this appears to be a common issue.  BIND-ing to a DC via a DNS resolved alias seems to throw an Invalid Credentials error as you can see above.

What can I do to remedy this?  Any ideas?

I'm wondering if a certificate needs to be generated somewhere or I'm experiencing a potential issue with SPNs.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24099245
well this is kerberos, you have to use the computer name registered in AD
0
 

Author Comment

by:amendala
ID: 24099589
Unfortunately, that doesn't provide me any specifics, nor does it address my question.  I'm aware that the authentication is using Kerberos but the statement that the computer name registered in AD is required is incorrect.  Authentication referrals via a secondary name are quite common.

Kerberos relies on certificates, tokens, service principal names, etc.  I would think there must be a way to configure either a wildcard cert. or perhaps a manual SPN to allow such authentications to take place.

It is that feedback I'm searching for.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099648
I am sorry it does address your question, authentication via secondary name are common with web servers etc... not with AD


I have no documents to backup my saying but  I am sure some book guru will give you a link or an article to read
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24099673
by the way you can do that using the setspn.exe (unless I'm mistaken) tool but i haven't used it in a long time a quick search will give you results

BTW the kerberos ticket does contain the
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 24132812
This is an issue with SPN resolution.  The error only occurs when I try to BIND to a DC when I'm logged into that DC.  An SPN resolution loop issue occurs and Kerberos is unable to authenticate.

If a manual SPN is created using the DNS alias, apparently this problem disappears.  Programmers using ADAM technologies have experienced this, there is an article on the web about it.

Using an alias for binding works just fine when I'm on another computer but when I'm on the DC itself, there's a self-referencing conflict.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question