none
Problem with LDAP RRS feed

  • Question

  • Hi,

    I have a 2016 active directory with 8 domain controllers.

    I am experiencing a rare behaviour with ldap queries. Those 8 domain controllers belong to 4 sites, 2 dc's to each. In main Site, I have the FSMO holder and another DC. In that site, I have an application which queries active directory users through LDAP. The application lets point to just one server.

    I have pointed the application to first server, VDCCPD01, and it worked perfectly. Some time after, user authentication begun to fail. I pointed the application to second server, VDCCPD02 and it worked again. Some time after, failed again, and I pointed back to server 1 and works again.

    With LDAP explorer, I have configured a connection. When I try to connect against the fail server, I get this:

    The message says at the end 'The requested operation could not be completed because the user has not been authenticated'.

    If I try the same configuration against the working server, the connection stablishes well.

    I need to identificate and correct the cause of these alternative failures, because I cannot have users complaining every certain time they cannot log in to the application, and having to change the query in order to make it work again. But I cannot find the reason of this behaviour.

    Thursday, July 9, 2020 11:51 AM

Answers

  • OK, I misinterpreted that screenshot, sorry for that.

    The next time you get this error in LDAP Admin, try disabling 'follow referrals' and see if this helps. If it does, you would need to do this on the application side as well.

    What you might also want to try out is putting in the domain FQDN instead of a specific DC.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Friday, July 10, 2020 7:13 AM

All replies

  • Hi,

    I've seen a similar a couple of years ago. Would 'some time after' by any chance be around 10 hours? Then the application is not re-authenticated after the Kerberos ticket has expired.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Thursday, July 9, 2020 9:21 PM
  • I am not sure, but I would say that it has been more time. The VDCCPD02 has been working well for days, the same time the VDCCPD01 was working bad. But I will test them everyday to try to measute the time, if it happens again.

    The workflow is as follows: The application is a web page application with a login form. There is a configuration which by means of an LDAP query, allows users from a group log in to the application. So the user puts his active directory user name and password in the form, the server queries by that ldap query to the domain controller if the user belongs to the group, and if so, let him enter.

    If the problem is the expiration of kerberos ticket, what would be the solution? And also, why the ldapbrowser throws that error when ask to the faulty domain controller? (it is completely independent from the application, even executing from the domain controller the error is the same).

    Friday, July 10, 2020 6:30 AM
  • OK, I misinterpreted that screenshot, sorry for that.

    The next time you get this error in LDAP Admin, try disabling 'follow referrals' and see if this helps. If it does, you would need to do this on the application side as well.

    What you might also want to try out is putting in the domain FQDN instead of a specific DC.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Friday, July 10, 2020 7:13 AM
  • I have tested again, but now both servers work correctly. I have left just the domain name in the query. I will see how it goes.

    Thanks.

    I will come back if it happens again.

    Friday, July 10, 2020 8:06 AM