Sign in with
Sign up | Sign in
Your question

Trouble Authenticating users from trusted domains

Tags:
  • Domain
  • Active Directory
  • Login
  • LDAP
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
January 4, 2005 1:29:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have an ERP application that can authenticate users from Active Directory
or LDAP. The problem that I am having is that it does not appear that any
domain information is passed to my DCs or LDAP Server. For example, I can
login and authenticate just fine in the parent domain, but when I try to
login as a user from the child domain, the authentication fails. The only
login information that is entered is the user name, i.e. sjones. Is there a
way or how can Active Directory or LDAP search all of my domains, both parent
and child, for the username to authenticate?

More about : trouble authenticating users trusted domains

Anonymous
January 4, 2005 11:23:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In order to successfully logon, you must be able to resolve the _ldap SRV
records.

Ensure that the dsGetDc call is successful by either running nltest
/dsgetdc:D omain-name.com or netdiag /test:D sgetdc


> Is there a way or how can Active Directory or LDAP search all of my
> domains, both parent and child, for the username to authenticate?

If you're using an LDAP query this is possible through the use of crossRef
objects and LDAP referrals. Although in order for this to work you must
pass the full DN of the domain. If you don't pass the DN, then you'll need
to pass additional info., such as domain name, etc.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
I have an ERP application that can authenticate users from Active Directory
or LDAP. The problem that I am having is that it does not appear that any
domain information is passed to my DCs or LDAP Server. For example, I can
login and authenticate just fine in the parent domain, but when I try to
login as a user from the child domain, the authentication fails. The only
login information that is entered is the user name, i.e. sjones. Is there a
way or how can Active Directory or LDAP search all of my domains, both
parent
and child, for the username to authenticate?
Anonymous
January 4, 2005 11:23:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have run these commands and they were successful. Should the Domain
Controllers from the site that this application is located pass the username
on to the proper child domain? Even without a Domain identifier?

"ptwilliams" wrote:

> In order to successfully logon, you must be able to resolve the _ldap SRV
> records.
>
> Ensure that the dsGetDc call is successful by either running nltest
> /dsgetdc:D omain-name.com or netdiag /test:D sgetdc
>
>
> > Is there a way or how can Active Directory or LDAP search all of my
> > domains, both parent and child, for the username to authenticate?
>
> If you're using an LDAP query this is possible through the use of crossRef
> objects and LDAP referrals. Although in order for this to work you must
> pass the full DN of the domain. If you don't pass the DN, then you'll need
> to pass additional info., such as domain name, etc.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
> news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
> I have an ERP application that can authenticate users from Active Directory
> or LDAP. The problem that I am having is that it does not appear that any
> domain information is passed to my DCs or LDAP Server. For example, I can
> login and authenticate just fine in the parent domain, but when I try to
> login as a user from the child domain, the authentication fails. The only
> login information that is entered is the user name, i.e. sjones. Is there a
> way or how can Active Directory or LDAP search all of my domains, both
> parent
> and child, for the username to authenticate?
>
>
>
Related resources
Anonymous
January 5, 2005 12:32:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No, that's the problem -without a DN it won't.

You'll need to 'aim' the request at the appropriate DC.

Can you pass the domain?

Perhaps if you can explain a little more what you are trying to achieve we
can better assist?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
I have run these commands and they were successful. Should the Domain
Controllers from the site that this application is located pass the username
on to the proper child domain? Even without a Domain identifier?

"ptwilliams" wrote:

> In order to successfully logon, you must be able to resolve the _ldap SRV
> records.
>
> Ensure that the dsGetDc call is successful by either running nltest
> /dsgetdc:D omain-name.com or netdiag /test:D sgetdc
>
>
> > Is there a way or how can Active Directory or LDAP search all of my
> > domains, both parent and child, for the username to authenticate?
>
> If you're using an LDAP query this is possible through the use of crossRef
> objects and LDAP referrals. Although in order for this to work you must
> pass the full DN of the domain. If you don't pass the DN, then you'll
> need
> to pass additional info., such as domain name, etc.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
> news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
> I have an ERP application that can authenticate users from Active
> Directory
> or LDAP. The problem that I am having is that it does not appear that any
> domain information is passed to my DCs or LDAP Server. For example, I can
> login and authenticate just fine in the parent domain, but when I try to
> login as a user from the child domain, the authentication fails. The only
> login information that is entered is the user name, i.e. sjones. Is there
> a
> way or how can Active Directory or LDAP search all of my domains, both
> parent
> and child, for the username to authenticate?
>
>
>
Anonymous
January 7, 2005 9:07:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

That is the problem. We can only pass a maximum of 2 Domains.

We have a new ERP system that can either authenticate with it's own user
database or we can set it up to authenticate via Active Directory. We would
much prefer authenticating via Active Directory as it makes Administration
much easier. In order to set that up, we must edit a properties file from
the application. This file allows you to specify 2 Domain Controllers, or
you can specifiy LDAP. If you specify an LDAP server, these are the
parameters that you can pass:
# comments out the line.

# Logon properties for LDAP/AD
#type:I
dir.logon.ldap.server=
dir.logon.ldap.port=
dir.logon.ldap.top=
dir.logon.ldap.prefix=
dir.logon.ldap.sufix=

Keep in mind that this will work just fine if we are only authenticating a
single Domain's users. The problem comes in because we are a WorldWide
company and have several child and trusted domains.


"ptwilliams" wrote:

> No, that's the problem -without a DN it won't.
>
> You'll need to 'aim' the request at the appropriate DC.
>
> Can you pass the domain?
>
> Perhaps if you can explain a little more what you are trying to achieve we
> can better assist?
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
> news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
> I have run these commands and they were successful. Should the Domain
> Controllers from the site that this application is located pass the username
> on to the proper child domain? Even without a Domain identifier?
>
> "ptwilliams" wrote:
>
> > In order to successfully logon, you must be able to resolve the _ldap SRV
> > records.
> >
> > Ensure that the dsGetDc call is successful by either running nltest
> > /dsgetdc:D omain-name.com or netdiag /test:D sgetdc
> >
> >
> > > Is there a way or how can Active Directory or LDAP search all of my
> > > domains, both parent and child, for the username to authenticate?
> >
> > If you're using an LDAP query this is possible through the use of crossRef
> > objects and LDAP referrals. Although in order for this to work you must
> > pass the full DN of the domain. If you don't pass the DN, then you'll
> > need
> > to pass additional info., such as domain name, etc.
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
> > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
> > I have an ERP application that can authenticate users from Active
> > Directory
> > or LDAP. The problem that I am having is that it does not appear that any
> > domain information is passed to my DCs or LDAP Server. For example, I can
> > login and authenticate just fine in the parent domain, but when I try to
> > login as a user from the child domain, the authentication fails. The only
> > login information that is entered is the user name, i.e. sjones. Is there
> > a
> > way or how can Active Directory or LDAP search all of my domains, both
> > parent
> > and child, for the username to authenticate?
> >
> >
> >
>
>
>
Anonymous
January 8, 2005 11:47:52 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hmmm...that's a bit of a problem.

The trusted domains are more or less a no go, without being able to
stipulate more than two domains, as referrals and the like are forest
specific (unless you create external crossRef objects).

For the internal referrals (the child domains), you can point everything to
the root and they will get referred but only if the user name is passed with
the details of the domain -at this point I'm not 100% sure whether this has
to be in the format of a DN or if it can be other formats, providing the
domain is passed too. I'm thinking DN only, but I'd have to check my notes.

Have a look at this, and see what you think:
--
http://www.microsoft.com/resources/documentation/Window...


(be wary of the line wrap, if any)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
news:C652E5F0-F9CD-4F65-B1FB-972F3D20F3E2@microsoft.com...
That is the problem. We can only pass a maximum of 2 Domains.

We have a new ERP system that can either authenticate with it's own user
database or we can set it up to authenticate via Active Directory. We would
much prefer authenticating via Active Directory as it makes Administration
much easier. In order to set that up, we must edit a properties file from
the application. This file allows you to specify 2 Domain Controllers, or
you can specifiy LDAP. If you specify an LDAP server, these are the
parameters that you can pass:
# comments out the line.

# Logon properties for LDAP/AD
#type:I
dir.logon.ldap.server=
dir.logon.ldap.port=
dir.logon.ldap.top=
dir.logon.ldap.prefix=
dir.logon.ldap.sufix=

Keep in mind that this will work just fine if we are only authenticating a
single Domain's users. The problem comes in because we are a WorldWide
company and have several child and trusted domains.


"ptwilliams" wrote:

> No, that's the problem -without a DN it won't.
>
> You'll need to 'aim' the request at the appropriate DC.
>
> Can you pass the domain?
>
> Perhaps if you can explain a little more what you are trying to achieve we
> can better assist?
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
> news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
> I have run these commands and they were successful. Should the Domain
> Controllers from the site that this application is located pass the
> username
> on to the proper child domain? Even without a Domain identifier?
>
> "ptwilliams" wrote:
>
> > In order to successfully logon, you must be able to resolve the _ldap
> > SRV
> > records.
> >
> > Ensure that the dsGetDc call is successful by either running nltest
> > /dsgetdc:D omain-name.com or netdiag /test:D sgetdc
> >
> >
> > > Is there a way or how can Active Directory or LDAP search all of my
> > > domains, both parent and child, for the username to authenticate?
> >
> > If you're using an LDAP query this is possible through the use of
> > crossRef
> > objects and LDAP referrals. Although in order for this to work you must
> > pass the full DN of the domain. If you don't pass the DN, then you'll
> > need
> > to pass additional info., such as domain name, etc.
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in
> > message
> > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
> > I have an ERP application that can authenticate users from Active
> > Directory
> > or LDAP. The problem that I am having is that it does not appear that
> > any
> > domain information is passed to my DCs or LDAP Server. For example, I
> > can
> > login and authenticate just fine in the parent domain, but when I try to
> > login as a user from the child domain, the authentication fails. The
> > only
> > login information that is entered is the user name, i.e. sjones. Is
> > there
> > a
> > way or how can Active Directory or LDAP search all of my domains, both
> > parent
> > and child, for the username to authenticate?
> >
> >
> >
>
>
>
!