- ADAM User Proxy Object Creation Error
- Posted by Ryan on January 21st, 2004
Hello,
I am having a problem creating an ADAM user Proxy Object. I have been following the instructions listed in the Step-by-Step Reviewers Guide and can not get LDP to create the user.
In LDP I am trying to do a ldap_add_s with the dn:cn=adam_user_proxy,o=company,c=us and two attributes objectclass:userproxy and objectsid:s-1-5-21-xx-xx-xx (the actual sid of the AD user). When I perform this add I get this output:
***Calling Add...
ldap_add_s(ld, "cn=adam_user_proxy,o=company,c=us", [2] attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152972, problem 5003 (WILL_NOT_PERFORM), data 1317
Error 0x20E7 The modification was not permitted for security reasons.
Our environment is a workgroup server and I am using Local security creds for the administrator of the server. I have not loaded the MS-user.ldf, but have loaded MS-userproxy.ldf. Userproxy is a defined object class in the schema and objectsid is a defined attribute in the schema.
Any Ideas?
Thanks for your help!
- Posted by Dmitri Gavrilov [MSFT] on January 22nd, 2004
The error is 1317 ERROR_NO_SUCH_USER. ADAM can not resolve the supplied sid
to a user object. Note that it expects a binary sid. From ldp, you can
supply it as
"\SID:S-1-5-XXX-XXX-XXX-XXX" (without quotes, as objectSid attribute value).
Also note that ADAM needs to be able to resolve this SID to a user object.
Thus, it must be a local user sid, or a sid of a user in the domain where
ADAM machine is joined to, or in a trusted domain/forest.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ryan" <anonymous@discussions.microsoft.com> wrote in message
news:99EE1EA4-7DA7-4510-A894-7CE64ACDA5A0@microsoft.com...
can not get LDP to create the user.
objectclass:userproxy and objectsid:s-1-5-21-xx-xx-xx (the actual sid of
the AD user). When I perform this add I get this output:
have loaded MS-userproxy.ldf. Userproxy is a defined object class in the
schema and objectsid is a defined attribute in the schema.
- Posted by Kannan C. Iyer [MSFT] on January 22nd, 2004
The "data" mentioned here at the end of the server error is the server error
number - in this case 1317. You can get the text by doing:
net helpmsg 1317
The specified user does not exist.
Check the SID - Either the SID is not valid or has not been specified
properly.
--
Kannan C. Iyer
Program Manager, Directory Services
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
----
"Ryan" <anonymous@discussions.microsoft.com> wrote in message
news:99EE1EA4-7DA7-4510-A894-7CE64ACDA5A0@microsoft.com...
Hello,
I am having a problem creating an ADAM user Proxy Object. I have been
following the instructions listed in the Step-by-Step Reviewers Guide and
can not get LDP to create the user.
In LDP I am trying to do a ldap_add_s with the
dn:cn=adam_user_proxy,o=company,c=us and two attributes
objectclass:userproxy and objectsid:s-1-5-21-xx-xx-xx (the actual sid of
the AD user). When I perform this add I get this output:
***Calling Add...
ldap_add_s(ld, "cn=adam_user_proxy,o=company,c=us", [2] attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152972, problem 5003
(WILL_NOT_PERFORM), data 1317
Error 0x20E7 The modification was not permitted for security reasons.
Our environment is a workgroup server and I am using Local security creds
for the administrator of the server. I have not loaded the MS-user.ldf, but
have loaded MS-userproxy.ldf. Userproxy is a defined object class in the
schema and objectsid is a defined attribute in the schema.
Any Ideas?
Thanks for your help!
- Posted by Ryan on January 22nd, 2004
In your message you said:
Also note that ADAM needs to be able to resolve this SID to a user object.
Thus, it must be a local user sid, or a sid of a user in the domain where
ADAM machine is joined to, or in a trusted domain/forest.
So in our environment since we are a standalone server that is not a part of a domain and I am trying to leverage a proxy user based in an active directory domain that the server has no knowledge of, this should not work. So in effect we can only leverage a Proxy Object for an Active directory user if the ADAM server is a member of the Domain where the user is from and/or you leverage a Proxy Object for a Local Windows User from the ADAM server's local user database?
If this is correct is there some way to specify a domain associated with a user for authentication?
- Posted by Dmitri Gavrilov [MSFT] on January 22nd, 2004
Correct. ADAM can not bindproxy a user in an unknown domain. How would it
know where to resolve the sid and how to validate the password?
Thus, the only way to specify a domain is to join ADAM machine to this
domain.
We are currently considering a more advanced design for proxy binds, where
we would utilize LDAP to validate the user pwd, rather than relying on
LsaLookupSids and LogonUser. But this is for the next version, if it is
approved.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Ryan" <anonymous@discussions.microsoft.com> wrote in message
news:7491B5E9-F96A-46AB-83D4-66CF8DDBDF5D@microsoft.com...
directory domain that the server has no knowledge of, this should not work.
So in effect we can only leverage a Proxy Object for an Active directory
user if the ADAM server is a member of the Domain where the user is from
and/or you leverage a Proxy Object for a Local Windows User from the ADAM
server's local user database?
- Posted by Joe Kaplan \(MVP - ADSI\) on January 22nd, 2004
Just out of curiosity, are there any other "tricks" like this for entering
binary data in ldp? For example, can you do:
\GUID:11111111-1111-1111-1111-111111111111
or something like that if you are trying to set an octet string attribute to
a GUID value?
I know LDIFDE uses Base64 to solve the binary input problem. I had no idea
there were cool shortcuts in LDP.
Joe K.
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:uYKgzFS4DHA.2888@tk2msftngp13.phx.gbl...
- Posted by Dmitri Gavrilov [MSFT] on January 23rd, 2004
The w2k3 version of LDP understands \SDDL:sddl_string for
ntSecurityDescriptor setting. Note that sddl conversion is done on the
client (and thus any sid shortcuts, such as DA, are resolved locally).
It also understands \UNI:unicode_string. Thus, when you are setting
unicodePwd, you'd enter \UNI:"pwd_value"
ADAM version of LDP understands \SID:sid_string
The newest version of LDP (to be released in ADAM SP1, maybe earlier),
understands \GUID:guid-string. It also has a gui SD editor. If you want it,
I can send it your way.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OY$kFXU4DHA.2348@TK2MSFTNGP10.phx.gbl...
- Posted by Joe Kaplan \(MVP - ADSI\) on January 23rd, 2004
That would be fantastic! Please send if you can.
Thanks also for the additional details. This is very helpful.
Joe K.
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:u18hTwX4DHA.876@TK2MSFTNGP10.phx.gbl...
