Last post Mar 12, 2006 01:11 PM by dunnry
Mar 01, 2006 03:48 AM|ub3rg00b3r|LINK
I have am ASP.Net 2.0 Single sign-on application using the Active directory membership provider. This app is used by a number of other apps as a global authenticator. It is based on the self service model. Users are able to register, have there paswords
reset if forgotten, change there passwords, and change there security question/answer.
In the configuration file, i specify my service account whach has access the ou in which my users reside. The service account will be used for create new user, and reset password, as the other funcs are done when the user is already authenticated.
Works great. rather workED great.
Now here's the twist. After implementaion, it worked for about a week, then I startes getting the following error, on Create new user, and reset password: Logon failure: unknown user or bad password (Exception from HRESULT: 0x8007052E).
So in my trouble shoot i tried everything, even up to using a domain admin acount to do this. didn't work. Then about a week later, i thought i would try it, and sure enough it worked, i made sure that i was not running as admin, and i wasn't. Strange...
SO now 2 months (approx) later the issue re-apears. same error. My server, and network teams have been on it. We've done Traces to see which ports are open, and you name it.
ANY insight/direction will be useful.
ps. in the security log of my DC, i do have a success login/off entry for my service account... so it does try to login to the DC not sure if that helps.
...in the twilight zone.
Mar 09, 2006 02:48 PM|ub3rg00b3r|LINK
Well found the problem....
Kerberos Auth has many authentication rules that must be met prior to authenticating accounts. One of them is that the two machines between which you are authenticating can not be any more than 5 minutes apart. After reading about that, i checked my Prod
Win 2000 environment. And sure enough my Web Server and DC were off, but by about 2mins 10 secs. so that rule should have passed. But following a hunch, in the fact that there is a time based rule and my machines are out, I decided to sync the times based
on the DC clocks. And bingo it worked. So I have set up an auto time sync everyday as a work around for now.
So this does get my app back up and running but does leave a couple questions:
1) Why was Kerberos failing considering the times were within the 5 minute window.
2) Why were the servers not automatically syncing anyways...
My server team will be getting back to me with these answers and i will post. But thank fully i am out of the twilight zone :-)
Mar 12, 2006 01:11 PM|dunnry|LINK