Server 2003 AD, security context APIs, "operations error" ??

Hello Windows security experts,
I am having trouble bringing a legacy server into the world of Windows
Server 2003 domain controllers. I am probably doing something
wrongheaded.... any wisdom would be most welcome.

The server has a serviceConnectionPoint and some ExtendedRights, duly
loaded into the domain controller. The serviceConnectionPoint is
loaded as a child object of the Computer. The server impersonates the
client, loads the serviceConnectionPoint, then checks whether the
appropriate extended right has been granted. The server doesn't
actually need to DO anything except this check ("is this user
authorized to do this server function?") while impersonating the

When I run this setup with a Windows 2000 domain controller it works.
But when I run it with a 2003 domain controller, it doesn't work.
Specifically, I'm calling ADsOpenObject to retrieve the
serviceConnectionPoint. I'm calling it from the thread impersonating
the client. The call works with a 2000 AD and fails with 2003 AD.

The failure code is 0x80072020, ERROR_DS_OPERATIONS_ERROR, "An
operations error occurred." What does this mean? How can I
troubleshoot it?

Here is the setup. All machines have plenty of RAM and disk space,
etc, and are on the same subnet.

My server is written in VC++ 6, with generic c++ rather than MFC. It's
running from a logged in user on an XP Pro machine; the user has local
administrator rights but is a generic domain user.

My client is a VC++ 6 / MFC ActiveX control. It is running (from a
tiny VB6 app) on a logged in user on a different XP Pro machine. The
client user doesn't have any special privileges. Client and server talk
TCP/IP to one another.

Both machines are members of the same Windows server 2003 domain. The
domain controller is configured to allow legacy (NT 4) clients as well
as modern clients.

dsquery on both machines is capable of retrieving the
serviceConnectionPoint from the AD. dsquery runas the client user on
the server machine is also capable of retrieving it.

The server accepts a connection from the client, and does an NTLM (not
Kerberos) exchange (AcceptSecurityContext, etc) with the client.
It then impersonates the client, calls ADsOpenObject, and gets the
"operations error."

If I hack the code to skip the client impersonation call, ADsOpenObject
works fine.

Thanks for reading this far! Any help understanding this would be great.


Relevant Pages

  • Re: Client performance problem windows 2003 server...
    ... there and install an english client to be doing the errorsearching on. ... to the Windows 2000 server in site A that is a English ... >>be a DNS replication issue. ... >>results from not having a domain controller in a particular site. ...
  • Site-tosite VPN Issue
    ... Windows Server 2003 domain controller ... Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP ... the VPN to the Windows Server 2003 domain controller. ... 12.7MB file from the server to the client PC. ...
  • Re: Kerberos Error Message
    ... the domain controller which you reboot to alleviate the problem? ... > I know for certain there is no time difference between client and server. ... >> A good resource for troubleshooting Kerberos errors is the relatively new ...
  • Re: Multiple Domain Controllers -- who takes over if one is down?
    ... ....If domain controller fails client may need to reboot their computer... ... We know this is the case right now and it works, so if a client reports ... > * Make sure that you have at least two servers with global catalogs role ... If only one is assigned this role and this server goes down, ...
  • Re: nessus returning an empty report
    ... There is communication between the client and server, ... I have scanned localhost, and other machines on the network, ... I've mailed the nessus mailing list and had some suggestions from them. ...