Johan, Thanks for pointing me to Wireshark. It uncovered an error I had in the string for the MS-AD server. It turns out that I did not need the domain information.
Now I see handshaking between the two machines but no data being transferred between them. That seems odd. Could there be some protocol settings that I need to activate. I thought that capturing TCP would be sufficient for me to view the interactions between the two machines. Any thoughts where I might look? Thanks, Marianne ----- Original Message ----- From: "Johan Reinalda" <[email protected]> To: [email protected] Sent: Tuesday, January 26, 2010 7:25:25 AM Subject: Re: [cas-user] FastBind failure >> Also, I was wondering which registry parameters to set on the Microsoft >> AD >> Server so that I can see what the Active Directory is seeing during the >> transaction? What we did during our debugging phase was to setup the CAS -> AD link to a single AD server, with ldap in clear text (ie. not ldaps). Then we used packet captures on the Linux box running CAS and looked at the ldap connections to our AD server with Wireshark...(you could also do this on the AD server if you're more comfortable there) Once we got everything working we installed an ssl cert on the AD servers, reconfigured the CAS ldap context source beans to use ldaps, and now our ldap binds and queries are secured. Johan ----- Original Message ----- From: "Marvin Addison" <[email protected]> To: <[email protected]> Sent: Tuesday, January 26, 2010 7:05 AM Subject: Re: [cas-user] FastBind failure >> 2010-01-25 13:16:11,994 DEBUG >> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - >> Performing >> LDAP bind with credential: sAMAccountName=mtromp, >> cn=Users,dc=ci,dc=ventura,dc=ca,dc=us > > I noted there is a space in the DN above. Could you change the filter > property of the fast bind handler such that there are no spaces and > try again? > >> Also, I was wondering which registry parameters to set on the Microsoft >> AD >> Server so that I can see what the Active Directory is seeing during the >> transaction? > > I asked our Microsoft domain admins and they said there is an "audit > failed authentication" security policy you can enable to see more > detail in the security log. I believe > http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html > shows a screenshot. They claimed that failures include an error code > that you can search for that will indicate the exact cause of failure. > I don't know whether those code are LDAP error codes or not > (http://support.microsoft.com/kb/218185); if they are LDAP codes I > would expect one of the following: > > - 0x31 (49) - Bad credential (wrong password) > - 0x20 (32) - Object not found (can't find the DN you provided) > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
