The specified Directory Service has denied access

Discussion in 'Active Directory' started by Lady Frances, May 17, 2006.

  1. Lady Frances

    Lady Frances Guest

    I have installed ADAM on a front-end server which is in the DMZ.
    There is no problem accessing the ldap directory from our network i.e. when
    one is logged onto the domain.

    But when trying to access the directory from the internet (using wab), I get
    the following error: "The specified Directory Service has denied access.
    Check the Properties for this Directory Service and verify that your
    Authentication Type settings and parameters are correct.".

    I noticed that the system hosting ADAM uses the client's Windows logon
    information and not the Directory Service Account information. The event
    viewer shows this:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 17.05.2006
    Time: 10:05:38
    User: NT AUTHORITY\SYSTEM
    Computer: [Server hosting the ADAM instance]
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: [Windows XP logon username]
    Domain: [Client workstation name]
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM

    Is there any specific configuration I need to enable the ldap directory to
    be accessed using the credentials provided as the Directory's Service
    Account, regardless of what information is used to log onto the Windows
    session?

    Thanks in advance,
    Frances
     
    Lady Frances, May 17, 2006
    #1
    1. Advertisements

  2. Hello, to allow anonymous connection to the ADAM instance application
    directory partition you will need to modify dsHeuristics setting for
    the instance. See:

    ADAM Help File
    How To section
    Manage an ADAM instance
    Allow anonymous LDAP binding to an ADAM instance


    You then need to modify the ACEs on the partition entries using
    DSACLs or by adding a security principal to one of the ADAM builtin
    roles for the partition e.g. Readers role.



    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services


    No email replies please - reply in the newsgroup
     
    chriss3 [MVP], May 18, 2006
    #2
    1. Advertisements

  3. Lady Frances

    Lady Frances Guest

    Thank you for your answer, Christoffer.

    The thing is I do not wish to enable anonymous ldap binding (unless I have
    misunderstood the word and that "anonymous" means that the user is not
    authentified in any domain).

    What I am trying to achieve is the ldap directory to be available to users
    (who belong to the AD forest and) who have provided their username and
    password in the address book account . They would be able to access the ldap
    directory although they are not logged onto a domain. Is this possible?


    Another thing is that the dsHeuristics setting for the instance is not set.
    Is that normal? And, as I cannot modifiy the value of the seventh character,
    should I set the value to 0000002001001?


    As you might have gathered, I am quite new in the field so any help would be
    greatly appreciated.

    Frances

     
    Lady Frances, May 19, 2006
    #3
  4. You have to give Authenticated Users in your Domain/Forest read rights on
    the particular partitions in ADAM you wish them be able to read.

    dsHeuristics displaying as not set by default is normal, only flip the bits
    you need to flip for a particular reason, otherwise leave it default, since
    each bit controlling how different functions in the directory service
    behave.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services


    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Resources

     
    chriss3 [MVP], May 19, 2006
    #4
  5. Lady Frances

    Lady Frances Guest

    Well, they do. But still the same message: ""The specified Directory Service
    has denied access. Check the Properties for this Directory Service and verify
    that your Authentication Type settings and parameters are correct."

    Regards,
    Frances

     
    Lady Frances, May 22, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.