|
Windows 2000 AD is wide open compared to
Windows 2003. The lack of anonymous access is most likely the reason why your
app can’t read group memberships. This is assuming that it’s trying
to query the AD using LDAP. It would probably have more success if it used
Windows This lack of anonymous access also breaks automatic
referral chasing when you use a simple bind. The problem was that on LDAP
simple binds, the referrals were chased using anonymous access. Works in
vanilla Windows 2000 AD, doesn’t in Windows 2003. You can see the
behavior for yourself if you use res = ldap_simple_bind_s(ld,
'[EMAIL PROTECTED]', <unavailable>); // v.3 Authenticated as dn:'[EMAIL PROTECTED]'. ***Searching... ldap_search_ext_s(ld, "DC=***,DC=***",
1, "DC=FOO", attrList, 0, svrCtrls, ClntCtrls, 600, 0
,&msg) Error: Search: Operations Error. <1> Server error: 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece Result <1>: 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece Matched DNs: Getting 0 entries: This doesn’t happen with vanilla
Windows 2000 because anonymous access is on by default. Also doesn’t
happen when you bind using username and domain which causes res = ldap_bind_s(ld, NULL,
&NtAuthIdentity, 1158); // v.3 {NtAuthIdentity:
User='xxx'; Pwd= <unavailable>; domain = '***'.} Authenticated as dn:'leew'. ***Searching... ldap_search_ext_s(ld, "DC=***,DC=***",
1, "DC=foo", attrList, 0, svrCtrls, ClntCtrls, 600, 0
,&msg) Result <0>: Matched DNs: Getting 0 entries: Neat trick, eh? Wook From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern yup On Tom, Did you enable Charlie From: Tom Kern
[mailto:[EMAIL PROTECTED]]
I have a user/pc i migrated from a win2k native forest to a win2k3 FFL
forest. He is running a local verison of When he logs into the old forest, all is well. when he logs into the new forest, the app spits out an error that the
Websphere account can't read the group memebership of the user's domain
account. Now, i don't understand how the local account is able to read the
user's memebership in AD in the old domain unless its due to the "anonymous"
user being in the "everyone" group in win2k? Is that it? is it the heightened sceurity in win2k3 that i'm encountering here. I know i should just create a domain account for the service and give
it rights to read the user's group memebership, but i'm just wondering why it
works in Win2k Forest but not the Win2k3 forest. Thanks. |
