cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A question about authentication between AD RMS server and AD server

Ayako_K_Ishibashi
Copper Contributor

‎Nov 01 2019 01:00 AM - edited ‎Nov 01 2019 01:03 AM

‎Nov 01 2019 01:00 AM - edited ‎Nov 01 2019 01:03 AM

A question about authentication between AD RMS server and AD server

I am having trouble on authenticating AD RMS server and AD server.

 

First, I want to explain the problem that I am having.

 

My AD RMS server is trying to authenticate with AD server.

 

First, AD RMS sent LDAP message
"bindRequest(***) "<ROOT>", NTLMSSP_NEGOTIATEsasl"
to AD server.

 

However, AD server returned,
"bindResponse(***) "<ROOT>", invalidCredentials ........((snip)) "

 

I googled this error message and find out that ID and password used for authentication were not correct.

 

We have other AD server and AD RMS server tries authentication and successes.

According to packet capture result, AD RMS is sending same contents for success pattern and failed pattern.

 

How can I solve this...?

 

If the authentication acts properly, AD server will response,
"bindResponse(***) saslBindInProgress , NTLMSSP_CHALLENGE"

 

So, I also want to know in what condition will AD server send
"bindResponse(***) saslBindInProgress , NTLMSSP_CHALLENGE"
after receiving
"bindRequest(***) "<ROOT>", NTLMSSP_NEGOTIATEsasl"
from LDAP client, in this case, AD RMS server.

 

Thanks in advance,

Ayako

Labels:
1,563 Views
0 Likes
1 Reply
Reply
1 Reply
Ayako_K_Ishibashi

‎Nov 20 2019 10:50 PM

‎Nov 20 2019 10:50 PM

Re: A question about authentication between AD RMS server and AD server

Hi

 

This problem was solved, so I will close this thread.

 

The reason was the AD that RMS server was trying to connect had wrong settings in local group policy.

 

Network Security: Restrict NTLM: NTLM authentication in this domain security policy setting should be "allow all", but our AD server was set as "deny all".

 

Also, registry setting was like this;

  Key: [HKEY_LOCAL_MACHINE] - [SYSTEM] - [CurrentControlSet] - [Control] - [Lsa] - [MSV1_0]

  Key name: RestrictReceivingNTLMTraffic

  Value: 2  

 

However, this key name (RestrictReceivingNTLMTraffic) should be deleted.

 

After changing these settings, we finally experienced no difficulties.

 

See you,

Ayako

0 Likes
Reply