locked
LDAP Cross Domain Authentication RRS feed

  • Question

  • User1564906420 posted

    Hi,

    <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p><o:p> </o:p>I am working in an IT organization. I am developing an application which uses the user authentication using the Active Directory of organization. <o:p></o:p>We have multiple domains in organization like us, in, <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><st1:country-region w:st="on"><st1:place w:st="on">uk</st1:place></st1:country-region> etc… I am in “in” domain.While I enter my (any “in” domain users) username and password and domain selected is “in” (LDAP connection string is LDAP://in.company.com). It authenticate successfully.<o:p></o:p> My organization created a “testUser” user in “<st1:country-region w:st="on"><st1:place w:st="on">uk</st1:place></st1:country-region>” domain for testing the other domain users also for my application. While I enter the username and password of “<st1:country-region w:st="on">uk</st1:country-region>” domain user and domain selected as “<st1:country-region w:st="on"><st1:place w:st="on">uk</st1:place></st1:country-region>” (I am still in “in” domain”) [LDAP connection string is LDAP://uk.company.com]. It gives error. (Logon failure: bad username or password”).[But if user is in “<st1:country-region w:st="on"><st1:place w:st="on">uk</st1:place></st1:country-region>” domain and then gives username and password, it authenticate successfully]<o:p></o:p><o:p> </o:p><o:p></o:p>While I searched this user in “<st1:country-region w:st="on"><st1:place w:st="on">uk</st1:place></st1:country-region>” domain (using .NET Directory services API), it searches the “testUser”. But it do not authenticate this user from my machine (from “in” domain). <o:p></o:p><o:p> </o:p><o:p>  </o:p><o:p></o:p><o:p></o:p>Can any one help me what can be an issue? I am not able to resolve it.<o:p></o:p><o:p> </o:p>It gives the errors<o:p></o:p>

    <?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" /><v:shapetype id=_x0000_t75 coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> -  ex {"Logon failure: unknown user name or bad password.\r\n"} System.Exception {System.DirectoryServices.DirectoryServicesCOMException}
    -  [System.DirectoryServices.DirectoryServicesCOMException] {"Logon failure: unknown user name or bad password.\r\n"} System.DirectoryServices.DirectoryServicesCOMException
    -  base {"Logon failure: unknown user name or bad password.\r\n"} System.Runtime.InteropServices.COMException {System.DirectoryServices.DirectoryServicesCOMException}
    +  base {"Logon failure: unknown user name or bad password.\r\n"} System.Runtime.InteropServices.ExternalException {System.DirectoryServices.DirectoryServicesCOMException}
      ExtendedError -2146893044 int
      ExtendedErrorMessage "8009030C: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 52e, v1771" string
    -  Non-Public members  
    +  base {"Logon failure: unknown user name or bad password.\r\n"} System.Runtime.InteropServices.COMException {System.DirectoryServices.DirectoryServicesCOMException}
      extendederror -2146893044 int
      extendedmessage "8009030C: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 52e, v1771" string
    +  Data {System.Collections.ListDictionaryInternal} System.Collections.IDictionary {System.Collections.ListDictionaryInternal}
      HelpLink null string
    +  InnerException null System.Exception
      Message "Logon failure: unknown user name or bad password.\r\n" string
      Source "System.DirectoryServices" string
      StackTrace "   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)\r\n   at System.DirectoryServices.DirectoryEntry.Bind()\r\n   at System.DirectoryServices.DirectoryEntry.get_AdsObject()\r\n   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)\r\n   at System.DirectoryServices.DirectorySearcher.FindOne()\r\n   at WindowsFormsApplication1.Form1.AuthenticateUser(String userName, String password, String& name) in C:\\Documents and Settings\\saxensac\\My Documents\\C# Features\\Active Directory\\Code\\Code-1\\WindowsFormsApplication1\\Form1.cs:line 88" string
    +  TargetSite {Void Bind(Boolean)} System.Reflection.MethodBase {System.Reflection.RuntimeMethodInfo}
    +  Static members  
    +  Non-Public members  
    </v:shapetype>

    Wednesday, April 15, 2009 7:47 AM

All replies

  • User1191518856 posted

    Welcome to the forums!

    Upon reading your post, I get the impression that you are not using integrated authentication. Am I right? This means you have a form where credentials are supplied, and then you programatically authenticate the user. Is this a correct assumption? If so, then how is the credentials supplied? Do you prefix the username with domain? How do you authenticate in the back end? Do you explicitly specify the DN of the domain root? Which root is this btw?

    Thursday, April 16, 2009 6:42 PM
  • User1564906420 posted

    This means you have a form where credentials are supplied, and then you programatically authenticate the user. --> Yes

    Do you prefix the username with domain --> Yes

    How do you authenticate in the back end? --> According to the domain prefix I get the LDAP connection string. like for "uk" it is LDAP://uk.company.com

    Which root is this btw? --> Parent is --> company.com
           child of comapny are--> in.company.com, uk.company.com etc

    Friday, April 17, 2009 1:16 AM
  • User1191518856 posted

    OK first thing that needs to be checked, is the other DCs available at all from within your domain. I.e. can you ping them from where you're at?

    Second thing, you're currently doing a serverless bind against the other domains. There might be an issue here. I'm not sure this is at all possible, or at least it is dependent on a correct configuration between the domains (which is out of my expertise).

    You could try to eliminate the problem if you explicitly specify the IP of the uk server for instance. So if a UK user tries to login, make sure it is validated against LDAP string:

    LDAP://x.x.x.x/DC=uk,DC=company,DC=com

    (where you replace x.x.x.x with the IP of the (or one of the) UK DCs).

    Friday, April 17, 2009 2:41 AM
  • User1723909877 posted

    Hi,

    Sorry for get them live from the grave. But I have the same problem, and still couldn't find the reason.

    Did you know what is the reason or did you have solution yet?

    Regards,

    Huy.

    Wednesday, July 7, 2010 5:28 AM