locked
Not able to pass LDAP authentication with non-domain active directory users inside the managed domain VM RRS feed

  • Question

  • Hi

    In my azure active directory, i have three kinds of users <domain1> as guest and <domain2> and <domain3> as members.

    I have a managed domain with azure ad domain services of <domain2> and all the 3 domain users are synced as active dierctory users there.

    The LDAP Authenication always passes for <domain2 > and <domain3> but not for domain 1. I get user name and password incorrect as error, with exception

    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at 

    I have tried changing the password for my <domain 1> users multiple times but no help. Is this something for guest users? shall i convert the guest users to members?



    • Edited by Sam830 Friday, July 27, 2018 6:28 PM
    Friday, July 27, 2018 4:24 PM

Answers

  • Guest users invited to your Azure AD directory using the Azure AD B2B invite process are synchronized into your Azure AD Domain Services managed domain. However, passwords for these users are not stored in your Azure AD directory. Therefore, Azure AD Domain Services has no way to sync NTLM and Kerberos hashes for these users into your managed domain. As a result, such users cannot log in to the managed domain or join computers to the managed domain.

    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 

    Tuesday, July 31, 2018 5:52 PM

All replies

  • Friday, July 27, 2018 8:37 PM
  • Thank you Sadiqh.

    In my case, only a specific set of users <domain1> are failing for ldap authentication. When i check adexplorer  or ldap.exe tool, i see those as synced users. 

    For other set <domain2> and <domain3> are successfully authenticated.

    Any idea on why this kind of behavior? 

    Monday, July 30, 2018 6:28 PM
  • Just an FYI, domain 1 users are in my azure active directory as guest users
    Tuesday, July 31, 2018 3:52 PM
  • Guest users invited to your Azure AD directory using the Azure AD B2B invite process are synchronized into your Azure AD Domain Services managed domain. However, passwords for these users are not stored in your Azure AD directory. Therefore, Azure AD Domain Services has no way to sync NTLM and Kerberos hashes for these users into your managed domain. As a result, such users cannot log in to the managed domain or join computers to the managed domain.

    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 

    Tuesday, July 31, 2018 5:52 PM
  • Thanks, that makes sense
    Tuesday, July 31, 2018 6:24 PM
  • You are welcome. :)
    Tuesday, July 31, 2018 6:35 PM