locked
MAP 4.0: Problems with authentication in a single forest, multiple domain environment RRS feed

  • Question

  • I am trying to scan our servers across a relatively complex environment.

    We have 10 domains, running to 4 levels deep. To summarise for a later example:
        Root.local
            child1.root.local
                   grandchild1.child1.root.local
            child2.root.local
            child3.root.local
                   grandchild3.child3.root.local

    I have a problem when entering the username/password of accounts in certain domains.
    MAP is installed in the Grandchild1 domain. I have no problems scanning this domain, either by Active Directory or Windows Networking.

    However, I get the error "Login failure while connected to Active Directory, invalid username or password. Specify a valid user name and password and try again" when I enter Root\Root_Administrator or Child1\Child1_Administrator account details.

    I installed a packet sniffer, and I discovered that when I enter the Root\Root_Administrator details, what is actually sent over the network is Grandchild1\Root_Administrator.
    Put simply, in the "Domain Account" field it pays no attention to the DOMAIN when entering DOMAIN\User.
    Obviously it refuses to accept the userPrincipalName format.

    DNS and WINS resolution works fine. I can browse the NetBIOS domain names in Explorer without problems and DNS lookups correctly resolve the various domains. I have experienced this problem on both XP SP2 and Server 2003 R2.

    Bug? Is is worth opening a support incident?

    Thank you in advance,


    Phil.


    Thursday, July 30, 2009 7:20 AM

All replies

  • Hey Phil -

    Wanted to let you know that the team is looking into this issue.  Will likely be next week when we can respond.

    Thanks!
    Friday, July 31, 2009 8:31 PM
  • Some complimentary information in case it helps, as I have found a workaround:

    1. Start a new database.

    2. Add each and every domain administrator (root, child1, child2, grandchild1, grandchild2...) to both BUILTIN\Users and BUILTIN\Administrators of the server hosting MAP.

    3. Set BUILTIN\Administrators to be SysAdmin in SQLExpress (not convinced this is completely necessary, but not tested all possibilities).

    4. Log on to server as the administrator of one of the domains.

    5. Run as AD scan (logon to forest root as the same administrator used for the session) and scan just their domain.

    6. Repeat 4 & 5 for each domain/administrator.

    Obviously there's still the underlying problem, but at least I can get the data.

    Regards.

    Saturday, August 1, 2009 10:06 AM
  • Thanks Phil!

    We are in the process of testing a fix for this issue. 

    Once it's ready, would you be willing to test a pre-release version and provide feedback?

    Monday, August 3, 2009 11:30 PM
  • With pleasure...
    Tuesday, August 4, 2009 11:57 AM
  • Phil -

    Can you send your email address to me at mapfdbk@microsoft.com so that we can pass on the URL to get the QFE bits?

    Rob
    Friday, August 7, 2009 8:56 PM