RE: [ActiveDir] migration question(ot)

[Lee, Wook]

Windows 2000 AD is wide open compared to Windows 2003. The lack of anonymous access is most likely the reason why your app can’t read group memberships. This is assuming that it’s trying to query the AD using LDAP. It would probably have more success if it used Windows API calls to list groups in the security token.   This lack of anonymous access also breaks automatic referral chasing when you use a simple bind. The problem was that on LDAP simple binds, the referrals were chased using anonymous access. Works in vanilla Windows 2000 AD, doesn’t in Windows 2003. You can see the behavior for yourself if you use LDP to bind to a DC in a child domain of a multi domain forest using UPN rather than username and domain. Turn on the chase referrals option and search from the forest root for just about anything. You should get an interesting error.   res = ldap_simple_bind_s(ld, '[EMAIL PROTECTED]', <unavailable>); // v.3 Authenticated as dn:'[EMAIL PROTECTED]'. ***Searching... ldap_search_ext_s(ld, "DC=***,DC=***", 1, "DC=FOO", attrList,  0, svrCtrls, ClntCtrls, 600, 0 ,&msg) Error: Search: Operations Error. <1> Server error: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Result <1>: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Matched DNs: Getting 0 entries:   This doesn’t happen with vanilla Windows 2000 because anonymous access is on by default. Also doesn’t happen when you bind using username and domain which causes LDP to use a regular bind so that it can specify the special NTAuthIdentity structure.   res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3             {NtAuthIdentity: User='xxx'; Pwd= <unavailable>; domain = '***'.} Authenticated as dn:'leew'. ***Searching... ldap_search_ext_s(ld, "DC=***,DC=***", 1, "DC=foo", attrList,  0, svrCtrls, ClntCtrls, 600, 0 ,&msg) Result <0>: Matched DNs: Getting 0 entries:   Neat trick, eh?   Wook   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, January 04, 2006 10:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] migration question(ot)   yup On 1/4/06, Carerros, Charles <[EMAIL PROTECTED]> wrote: Tom,   Did you enable SID History on the W2K3 domain?   Charlie   From: Tom Kern [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 04, 2006 11:35 AM To: activedirectory Subject: [ActiveDir] migration question(ot)   I have a user/pc i migrated from a win2k native forest to a win2k3 FFL forest.   He is running a local verison of IBM Websphere which runs under a local machine account.   When he logs into the old forest, all is well.   when he logs into the new forest, the app spits out an error that the Websphere account can't read the group memebership of the user's domain account.   Now, i don't understand how the local account is able to read the user's memebership in AD in the old domain unless its due to the "anonymous" user being in the "everyone" group in win2k?   Is that it?   is it the heightened sceurity in win2k3 that i'm encountering here.   I know i should just create a domain account for the service and give it rights to read the user's group memebership, but i'm just wondering why it works in Win2k Forest but not the Win2k3 forest.   Thanks.