locked
LDAP Authentication after password change RRS feed

  • Question

  • Hello,

    I'm facing an issue and I'd like your help with the different authentication methods used with Active Directory.

    Let's say that we have an Active Directory domain with multiple sites. A user on a site changes his password using Ctrl - Alt - Del. After he logs on with the new password on a computer that belongs to the same site he opens a web application that is using LDAP authentication against the domain controllers on the main site (other than his site). The authentication fails with bad password event logged.

    What may be the case here?

    Regards,

    Christos

    Thursday, September 1, 2016 1:20 PM

Answers

  • Hi,

    Examining LDAP interface events in the Windows Directory Service Event log can help determine if a bad password or bad username is the cause of the authentication failure.

    To enable LDAP debugging logs on the Domain Controller, set the LDAP Interface Events to verbose using DWORD value 5 in the Windows registry. Once LDAP events have been enabled, open the Windows Event Viewer and navigate to Applications and Services Logs > Directory Service and analysis related logs.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Monday, September 19, 2016 8:19 AM
    • Marked as answer by Christos Polydorou Thursday, September 22, 2016 4:41 PM
    Monday, September 12, 2016 10:04 AM

All replies

  • Hi

     You should check DC and replication health first.Please paste UNEDITED "dcdiag" and "repadmin /replsum" results on OneDrive..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, September 1, 2016 2:48 PM
  • Hello Burak,

    There's nothing wrong with replication. Password changes do not go through replication anyway...

    Moreover, the user is able to log on to a workstation on the - let's say - problematic site with the new password.

    I believe that the problem is related to the way the application authenticates the users. Even if the DCs in the site do not have the latest password, they should consult with the PDC first to see if the password has been updated and then fail the request.

    Thursday, September 1, 2016 3:19 PM
  • There's nothing wrong with replication. Password changes do not go through replication anyway...>>> Password changes,membership changes,all AD objects changes sync with replication.Domain Controller and replication health status check should be the first step to troubleshoot for this kind of issues.But if you sure it is OK.

    Also check this for detais about replication ; https://technet.microsoft.com/en-us/library/cc794809(v=ws.10).aspx

    I believe that the problem is related to the way the application authenticates the users>> As you mentioned you should check from application side,maybe check with vendor.So users are able to logon with new passwords(to computers)..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Thursday, September 1, 2016 4:09 PM
    • Proposed as answer by Alvwan Friday, September 9, 2016 9:40 AM
    Thursday, September 1, 2016 4:05 PM
  • As per https://support.microsoft.com/en-us/kb/225511, when authentication with wrong password is attempted on a domain controller, before the domain controller fails the attempt, it contacts the PDC in case the password has been changed on another DC. This procedure is not performed through replication.

    Please take a look also at this https://blogs.technet.microsoft.com/kenstcyr/2008/07/05/understanding-urgent-replication/

    Friday, September 9, 2016 10:42 AM
  • Hi,

    Examining LDAP interface events in the Windows Directory Service Event log can help determine if a bad password or bad username is the cause of the authentication failure.

    To enable LDAP debugging logs on the Domain Controller, set the LDAP Interface Events to verbose using DWORD value 5 in the Windows registry. Once LDAP events have been enabled, open the Windows Event Viewer and navigate to Applications and Services Logs > Directory Service and analysis related logs.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Monday, September 19, 2016 8:19 AM
    • Marked as answer by Christos Polydorou Thursday, September 22, 2016 4:41 PM
    Monday, September 12, 2016 10:04 AM