Trouble Authenticating users from trusted domains

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have an ERP application that can authenticate users from Active Directory
or LDAP. The problem that I am having is that it does not appear that any
domain information is passed to my DCs or LDAP Server. For example, I can
login and authenticate just fine in the parent domain, but when I try to
login as a user from the child domain, the authentication fails. The only
login information that is entered is the user name, i.e. sjones. Is there a
way or how can Active Directory or LDAP search all of my domains, both parent
and child, for the username to authenticate?
5 answers Last reply
More about trouble authenticating users trusted domains
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In order to successfully logon, you must be able to resolve the _ldap SRV
    records.

    Ensure that the dsGetDc call is successful by either running nltest
    /dsgetdc:domain-name.com or netdiag /test:dsgetdc


    > Is there a way or how can Active Directory or LDAP search all of my
    > domains, both parent and child, for the username to authenticate?

    If you're using an LDAP query this is possible through the use of crossRef
    objects and LDAP referrals. Although in order for this to work you must
    pass the full DN of the domain. If you don't pass the DN, then you'll need
    to pass additional info., such as domain name, etc.

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
    news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
    I have an ERP application that can authenticate users from Active Directory
    or LDAP. The problem that I am having is that it does not appear that any
    domain information is passed to my DCs or LDAP Server. For example, I can
    login and authenticate just fine in the parent domain, but when I try to
    login as a user from the child domain, the authentication fails. The only
    login information that is entered is the user name, i.e. sjones. Is there a
    way or how can Active Directory or LDAP search all of my domains, both
    parent
    and child, for the username to authenticate?
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I have run these commands and they were successful. Should the Domain
    Controllers from the site that this application is located pass the username
    on to the proper child domain? Even without a Domain identifier?

    "ptwilliams" wrote:

    > In order to successfully logon, you must be able to resolve the _ldap SRV
    > records.
    >
    > Ensure that the dsGetDc call is successful by either running nltest
    > /dsgetdc:domain-name.com or netdiag /test:dsgetdc
    >
    >
    > > Is there a way or how can Active Directory or LDAP search all of my
    > > domains, both parent and child, for the username to authenticate?
    >
    > If you're using an LDAP query this is possible through the use of crossRef
    > objects and LDAP referrals. Although in order for this to work you must
    > pass the full DN of the domain. If you don't pass the DN, then you'll need
    > to pass additional info., such as domain name, etc.
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
    > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
    > I have an ERP application that can authenticate users from Active Directory
    > or LDAP. The problem that I am having is that it does not appear that any
    > domain information is passed to my DCs or LDAP Server. For example, I can
    > login and authenticate just fine in the parent domain, but when I try to
    > login as a user from the child domain, the authentication fails. The only
    > login information that is entered is the user name, i.e. sjones. Is there a
    > way or how can Active Directory or LDAP search all of my domains, both
    > parent
    > and child, for the username to authenticate?
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    No, that's the problem -without a DN it won't.

    You'll need to 'aim' the request at the appropriate DC.

    Can you pass the domain?

    Perhaps if you can explain a little more what you are trying to achieve we
    can better assist?

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
    news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
    I have run these commands and they were successful. Should the Domain
    Controllers from the site that this application is located pass the username
    on to the proper child domain? Even without a Domain identifier?

    "ptwilliams" wrote:

    > In order to successfully logon, you must be able to resolve the _ldap SRV
    > records.
    >
    > Ensure that the dsGetDc call is successful by either running nltest
    > /dsgetdc:domain-name.com or netdiag /test:dsgetdc
    >
    >
    > > Is there a way or how can Active Directory or LDAP search all of my
    > > domains, both parent and child, for the username to authenticate?
    >
    > If you're using an LDAP query this is possible through the use of crossRef
    > objects and LDAP referrals. Although in order for this to work you must
    > pass the full DN of the domain. If you don't pass the DN, then you'll
    > need
    > to pass additional info., such as domain name, etc.
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
    > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
    > I have an ERP application that can authenticate users from Active
    > Directory
    > or LDAP. The problem that I am having is that it does not appear that any
    > domain information is passed to my DCs or LDAP Server. For example, I can
    > login and authenticate just fine in the parent domain, but when I try to
    > login as a user from the child domain, the authentication fails. The only
    > login information that is entered is the user name, i.e. sjones. Is there
    > a
    > way or how can Active Directory or LDAP search all of my domains, both
    > parent
    > and child, for the username to authenticate?
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    That is the problem. We can only pass a maximum of 2 Domains.

    We have a new ERP system that can either authenticate with it's own user
    database or we can set it up to authenticate via Active Directory. We would
    much prefer authenticating via Active Directory as it makes Administration
    much easier. In order to set that up, we must edit a properties file from
    the application. This file allows you to specify 2 Domain Controllers, or
    you can specifiy LDAP. If you specify an LDAP server, these are the
    parameters that you can pass:
    # comments out the line.

    # Logon properties for LDAP/AD
    #type:I
    dir.logon.ldap.server=
    dir.logon.ldap.port=
    dir.logon.ldap.top=
    dir.logon.ldap.prefix=
    dir.logon.ldap.sufix=

    Keep in mind that this will work just fine if we are only authenticating a
    single Domain's users. The problem comes in because we are a WorldWide
    company and have several child and trusted domains.


    "ptwilliams" wrote:

    > No, that's the problem -without a DN it won't.
    >
    > You'll need to 'aim' the request at the appropriate DC.
    >
    > Can you pass the domain?
    >
    > Perhaps if you can explain a little more what you are trying to achieve we
    > can better assist?
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
    > news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
    > I have run these commands and they were successful. Should the Domain
    > Controllers from the site that this application is located pass the username
    > on to the proper child domain? Even without a Domain identifier?
    >
    > "ptwilliams" wrote:
    >
    > > In order to successfully logon, you must be able to resolve the _ldap SRV
    > > records.
    > >
    > > Ensure that the dsGetDc call is successful by either running nltest
    > > /dsgetdc:domain-name.com or netdiag /test:dsgetdc
    > >
    > >
    > > > Is there a way or how can Active Directory or LDAP search all of my
    > > > domains, both parent and child, for the username to authenticate?
    > >
    > > If you're using an LDAP query this is possible through the use of crossRef
    > > objects and LDAP referrals. Although in order for this to work you must
    > > pass the full DN of the domain. If you don't pass the DN, then you'll
    > > need
    > > to pass additional info., such as domain name, etc.
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in message
    > > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
    > > I have an ERP application that can authenticate users from Active
    > > Directory
    > > or LDAP. The problem that I am having is that it does not appear that any
    > > domain information is passed to my DCs or LDAP Server. For example, I can
    > > login and authenticate just fine in the parent domain, but when I try to
    > > login as a user from the child domain, the authentication fails. The only
    > > login information that is entered is the user name, i.e. sjones. Is there
    > > a
    > > way or how can Active Directory or LDAP search all of my domains, both
    > > parent
    > > and child, for the username to authenticate?
    > >
    > >
    > >
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hmmm...that's a bit of a problem.

    The trusted domains are more or less a no go, without being able to
    stipulate more than two domains, as referrals and the like are forest
    specific (unless you create external crossRef objects).

    For the internal referrals (the child domains), you can point everything to
    the root and they will get referred but only if the user name is passed with
    the details of the domain -at this point I'm not 100% sure whether this has
    to be in the format of a DN or if it can be other formats, providing the
    domain is passed too. I'm thinking DN only, but I'd have to check my notes.

    Have a look at this, and see what you think:
    --
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_gzoq.asp


    (be wary of the line wrap, if any)

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
    news:C652E5F0-F9CD-4F65-B1FB-972F3D20F3E2@microsoft.com...
    That is the problem. We can only pass a maximum of 2 Domains.

    We have a new ERP system that can either authenticate with it's own user
    database or we can set it up to authenticate via Active Directory. We would
    much prefer authenticating via Active Directory as it makes Administration
    much easier. In order to set that up, we must edit a properties file from
    the application. This file allows you to specify 2 Domain Controllers, or
    you can specifiy LDAP. If you specify an LDAP server, these are the
    parameters that you can pass:
    # comments out the line.

    # Logon properties for LDAP/AD
    #type:I
    dir.logon.ldap.server=
    dir.logon.ldap.port=
    dir.logon.ldap.top=
    dir.logon.ldap.prefix=
    dir.logon.ldap.sufix=

    Keep in mind that this will work just fine if we are only authenticating a
    single Domain's users. The problem comes in because we are a WorldWide
    company and have several child and trusted domains.


    "ptwilliams" wrote:

    > No, that's the problem -without a DN it won't.
    >
    > You'll need to 'aim' the request at the appropriate DC.
    >
    > Can you pass the domain?
    >
    > Perhaps if you can explain a little more what you are trying to achieve we
    > can better assist?
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "Troubled Mike" <TroubledMike@discussions.microsoft.com> wrote in message
    > news:89235423-ED9A-4086-B091-D39D713F8257@microsoft.com...
    > I have run these commands and they were successful. Should the Domain
    > Controllers from the site that this application is located pass the
    > username
    > on to the proper child domain? Even without a Domain identifier?
    >
    > "ptwilliams" wrote:
    >
    > > In order to successfully logon, you must be able to resolve the _ldap
    > > SRV
    > > records.
    > >
    > > Ensure that the dsGetDc call is successful by either running nltest
    > > /dsgetdc:domain-name.com or netdiag /test:dsgetdc
    > >
    > >
    > > > Is there a way or how can Active Directory or LDAP search all of my
    > > > domains, both parent and child, for the username to authenticate?
    > >
    > > If you're using an LDAP query this is possible through the use of
    > > crossRef
    > > objects and LDAP referrals. Although in order for this to work you must
    > > pass the full DN of the domain. If you don't pass the DN, then you'll
    > > need
    > > to pass additional info., such as domain name, etc.
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "Troubled Mike" <Troubled Mike@discussions.microsoft.com> wrote in
    > > message
    > > news:E472A4BC-DED2-472F-B4D0-A7AAE7FCACCA@microsoft.com...
    > > I have an ERP application that can authenticate users from Active
    > > Directory
    > > or LDAP. The problem that I am having is that it does not appear that
    > > any
    > > domain information is passed to my DCs or LDAP Server. For example, I
    > > can
    > > login and authenticate just fine in the parent domain, but when I try to
    > > login as a user from the child domain, the authentication fails. The
    > > only
    > > login information that is entered is the user name, i.e. sjones. Is
    > > there
    > > a
    > > way or how can Active Directory or LDAP search all of my domains, both
    > > parent
    > > and child, for the username to authenticate?
    > >
    > >
    > >
    >
    >
    >
Ask a new question

Read More

Domain Active Directory Login LDAP Windows