Discussion:
ADAMSync Problem with userProxy and SID?
(too old to reply)
m***@gmail.com
2008-08-15 17:12:21 UTC
Permalink
Dear all,

I want to setup AD to ADAM sync and everything works fine so far. But
during /sync command I get following error:

Processing Entry: Page 1, Frame 1, Entry 10, Count 1, USN 0
Processing source entry <guid=bfbd971e58030f43abcabf91bfa284c9>
Processing in-scope entry bfbd971e58030f43abcabf91bfa284c9.
Adding target object
CN=XXXXXXXXX,OU=USERS,OU=XXXXXXXXXXX,DC=XXXX,DC=XXXX,DC=XXXXX,DC=com.
Adding attributes: sourceobjectguid, sn, c, l, title, description,
postalCode, postOfficeBox, physicalDeliveryOfficeName,
telephoneNumber, givenName, instanceType, displayName, co, department,
company, streetAddress, userAccountControl, codePage, countryCode,
primaryGroupID, objectSid, accountExpires, sAMAccountName,
userPrincipalName, mail, mobile, lastagedchange, objectclass,
Ldap error occured. ldap_add_sW: Unwilling To Perform.
Extended Info: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 1317

With option /force -1 all OUs and so on are created successfully. Only
user objects will not be created and result in same error above.

It could be something with the objectSID as stated in this link
http://microsoft-programming.hostweb.com/TopicMessages/microsoft.public.metadirectory/2055221/1/Default.aspx

But I've no idea how to resolve this!

As background: The server which is running ADAM is not in the source
domain of this snyc process. It's not in a domain at all.

Thanks for any help in advance!

Marc
Joe Kaplan
2008-08-15 21:18:30 UTC
Permalink
Why would you try to create userProxy objects for AD users if the ADAM
server is not in a domain that trusts the AD users? They won't work as bind
proxies as bind proxies rely on the underlying Windows security
infrastructure to be able to forward the authentication to Windows/AD.

What are you trying to do here exactly? I'm also unclear on why you would
sync attributes like sAMAccountName and primaryGroupID to ADAM.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by m***@gmail.com
Dear all,
I want to setup AD to ADAM sync and everything works fine so far. But
Processing Entry: Page 1, Frame 1, Entry 10, Count 1, USN 0
Processing source entry <guid=bfbd971e58030f43abcabf91bfa284c9>
Processing in-scope entry bfbd971e58030f43abcabf91bfa284c9.
Adding target object
CN=XXXXXXXXX,OU=USERS,OU=XXXXXXXXXXX,DC=XXXX,DC=XXXX,DC=XXXXX,DC=com.
Adding attributes: sourceobjectguid, sn, c, l, title, description,
postalCode, postOfficeBox, physicalDeliveryOfficeName,
telephoneNumber, givenName, instanceType, displayName, co, department,
company, streetAddress, userAccountControl, codePage, countryCode,
primaryGroupID, objectSid, accountExpires, sAMAccountName,
userPrincipalName, mail, mobile, lastagedchange, objectclass,
Ldap error occured. ldap_add_sW: Unwilling To Perform.
Extended Info: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 1317
With option /force -1 all OUs and so on are created successfully. Only
user objects will not be created and result in same error above.
It could be something with the objectSID as stated in this link
http://microsoft-programming.hostweb.com/TopicMessages/microsoft.public.metadirectory/2055221/1/Default.aspx
But I've no idea how to resolve this!
As background: The server which is running ADAM is not in the source
domain of this snyc process. It's not in a domain at all.
Thanks for any help in advance!
Marc
m***@gmail.com
2008-08-18 08:17:56 UTC
Permalink
On 15 Aug., 23:18, "Joe Kaplan"
Post by Joe Kaplan
Why would you try to create userProxy objects for AD users if the ADAM
server is not in a domain that trusts the AD users?  They won't work as bind
proxies as bind proxies rely on the underlying Windows security
infrastructure to be able to forward the authentication to Windows/AD.
What are you trying to do here exactly?  I'm also unclear on why you would
sync attributes like sAMAccountName and primaryGroupID to ADAM.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
Post by m***@gmail.com
Dear all,
I want to setup AD to ADAM sync and everything works fine so far. But
Processing Entry: Page 1, Frame 1, Entry 10, Count 1, USN 0
Processing source entry <guid=bfbd971e58030f43abcabf91bfa284c9>
Processing in-scope entry bfbd971e58030f43abcabf91bfa284c9.
Adding target object
CN=XXXXXXXXX,OU=USERS,OU=XXXXXXXXXXX,DC=XXXX,DC=XXXX,DC=XXXXX,DC=com.
Adding attributes: sourceobjectguid, sn, c, l, title, description,
postalCode, postOfficeBox, physicalDeliveryOfficeName,
telephoneNumber, givenName, instanceType, displayName, co, department,
company, streetAddress, userAccountControl, codePage, countryCode,
primaryGroupID, objectSid, accountExpires, sAMAccountName,
userPrincipalName, mail, mobile, lastagedchange, objectclass,
Ldap error occured. ldap_add_sW: Unwilling To Perform.
Extended Info: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 1317
With option /force -1 all OUs and so on are created successfully. Only
user objects will not be created and result in same error above.
It could be something with the objectSID as stated in this link
http://microsoft-programming.hostweb.com/TopicMessages/microsoft.publ...
But I've no idea how to resolve this!
As background: The server which is running ADAM is not in the source
domain of this snyc process. It's not in a domain at all.
Thanks for any help in advance!
Marc- Zitierten Text ausblenden -
- Zitierten Text anzeigen -
Ok, I would describe the situation:

We have a restrictive global company policy. We are currently not able
to integrate our MOSS server into the domain but we want to
authenticate MOSS users trough ADAM on this machine with domain
credentials. Is this possible? Or must the ADAM server in the domain
to get this usable?

As I've noticed I have to create userProxy objects in ADAM to get
"pass-through" autentication by ADAM.

Thanks a lot,

Marc
Joe Kaplan
2008-08-18 13:56:40 UTC
Permalink
It would be much easier for you if you just used the Active Directory
Membership Provider and had the MOSS server contact AD directly via LDAP.
Is the issue that you don't have the ability to allow LDAP traffic from the
MOSS server to AD? You don't need to be domain joined to make this work.

The error you are getting (1317) means "the user does not exist" which makes
sense since ADAM can only proxy for users that it trusts.

If you still want to use ADAM as an intermediary between between AD and
MOSS, you'll need to run ADAM on a separate domain joined machine.
Additionally, the membership provider does not work with the userProxy class
by default as it is hard coded to look for users with "objectClass=user" so
you would need to modify the schema of the userProxy class to make its
objectClass be "user" which means that you can't use the normal user class.
It will get confusing.

Another option you have available to you is to use ADFS for this
integration.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Ok, I would describe the situation:

We have a restrictive global company policy. We are currently not able
to integrate our MOSS server into the domain but we want to
authenticate MOSS users trough ADAM on this machine with domain
credentials. Is this possible? Or must the ADAM server in the domain
to get this usable?

As I've noticed I have to create userProxy objects in ADAM to get
"pass-through" autentication by ADAM.

Thanks a lot,

Marc
Loading...