AD working internally - Not authenticating against external copy - options to diagnose?

Vote:
 

We have an internal domain controller I've been authenticating against for development. Externally, we use a read-only copy with a slightly different name. 

Internal: 

Since the username is the same, I thought simply changing it to the proper RODC would be all thats needed. 

Unfortunately its not working. I've tested this connection in ADSiEdit and its connecting as it should both my local box and the dmz box. Any tips on diagnosing whats actually going wrong? 

#178096
May 01, 2017 17:52
Vote:
 

Hi,

Did you find and read these URLs?

http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=43724&epslanguage=en

http://world.episerver.com/blogs/Daniel-Ovaska/Dates/2013/2/How-to-solve-problems-with-the-ActiveDirectoryMembershipProvider-and-similar-ldap-integrations/

LDAP browsers that you test with will usually connect without having 445 open which makes it even more difficult to solve problems.

#178097
May 01, 2017 22:12
Vote:
 

Port 445 not being open was definitely one of the issues, thank you. I can get to the login screen now, but unfortunately its still not authenticating. Going to see if its possible to grab a log of the attempts from the RODC. 

#178134
May 02, 2017 18:25
Vote:
 

Looking at the packets themselves gives this error: 

V80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 0, v2580.
#178142
May 02, 2017 23:45
Vote:
 

I'm assuming you already found this? http://stackoverflow.com/questions/31411665/ldap-error-code-49-80090308-ldaperr-dsid-0c0903a9-comment-acceptsecurityc

#178149
May 03, 2017 9:26
Vote:
 

Yeah thats a slightly different error though. I only found one unanswered question on StackOverflow that had this exact error/situation. Trying to get in contact with him now. 

#178183
May 03, 2017 18:56
Vote:
 

Some time has passed with this issue. We ended up opening a ticket with Epi and also looked at a contractor to resolve this, but its essentially dead in the water. Looking at another contractor as an option and possibly into ADFS as an alternative. 

#179847
Jun 22, 2017 23:51
Vote:
 

Hey Eric,

Here is a good couple of articles about AD on DMZ in that I hope you will find something intresting, please see

https://serverfault.com/questions/606210/allowing-ldap-authentication-from-dmz-to-active-directory-is-my-idea-secure

https://social.technet.microsoft.com/Forums/systemcenter/en-US/7b5a631c-a41b-406a-b690-076834338031/rodc-in-dmz?forum=winserverDS

Please keep us posted about your findings.

Thanks,

Nikolay.

#179862
Jun 23, 2017 14:54
Vote:
 

Hi Erik,

You wrote that opening port 445 (related to trust relationships ) was slighly improved the situation and leads to get the logon screen. Furthermore I suspect the root of your issues is a broken trust relationships between domains (there are many cases to break it, i.e. DC reboots), could you try to reestablish the trusts?

#179871
Jun 23, 2017 15:33
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.