Disabled account and LDAP

Rich

Distinguished
Mar 31, 2004
943
0
18,980
0
Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have a 2003 server running AD and are using it with LDAPS for
authentication. If I disable an account, I can still authenticate using that
account over LDAP. Has anyone else seen this?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

How specifically are you trying to authenticate. Windows auth is normally based
on kerberos. If you already have a kerb cert for a resource, it isn't affect by
disables until it expires and has to be renewed which could be up to 10 hours.

If you are forcing a new auth against AD with the LDAP bind then you should be
seeing it fail immediately.


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Rich wrote:
> We have a 2003 server running AD and are using it with LDAPS for
> authentication. If I disable an account, I can still authenticate using that
> account over LDAP. Has anyone else seen this?
 

Rich

Distinguished
Mar 31, 2004
943
0
18,980
0
Archived from groups: microsoft.public.win2000.active_directory (More info?)

We are using LDAP bind. I tried patching the server with SP1 last night and
a number of services wouldn't start after it was applied. Not sure what is
causing the problem but since the box is used for testing only, I'm not in a
really big hurry to figure out what is wrong.

"Joe Richards [MVP]" wrote:

> How specifically are you trying to authenticate. Windows auth is normally based
> on kerberos. If you already have a kerb cert for a resource, it isn't affect by
> disables until it expires and has to be renewed which could be up to 10 hours.
>
> If you are forcing a new auth against AD with the LDAP bind then you should be
> seeing it fail immediately.
>
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Rich wrote:
> > We have a 2003 server running AD and are using it with LDAPS for
> > authentication. If I disable an account, I can still authenticate using that
> > account over LDAP. Has anyone else seen this?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

LDAP Simple Bind? Or sending creds and a password and asking for secure auth?

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Rich wrote:
> We are using LDAP bind. I tried patching the server with SP1 last night and
> a number of services wouldn't start after it was applied. Not sure what is
> causing the problem but since the box is used for testing only, I'm not in a
> really big hurry to figure out what is wrong.
>
> "Joe Richards [MVP]" wrote:
>
>
>>How specifically are you trying to authenticate. Windows auth is normally based
>>on kerberos. If you already have a kerb cert for a resource, it isn't affect by
>>disables until it expires and has to be renewed which could be up to 10 hours.
>>
>>If you are forcing a new auth against AD with the LDAP bind then you should be
>>seeing it fail immediately.
>>
>>
>> joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Rich wrote:
>>
>>>We have a 2003 server running AD and are using it with LDAPS for
>>>authentication. If I disable an account, I can still authenticate using that
>>>account over LDAP. Has anyone else seen this?
>>
 

ASK THE COMMUNITY