Re: Server 2003 AD, security context APIs, "operations error" ??

---

• From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 29 Jun 2006 17:55:18 -0500

---

2003 AD doesn't support anonymous searches by default, so that's probably
the difference. My guess is that your code has never been successfully
authenticating with AD and has been binding as the anonymous user all along.

The fact that you are using NTLM means that you won't be able to do Kerberos
delegation to AD (unless you were able to use S4U, which you can't if your
server runs on XP as I think you said it does). Since you have a multiple
machine hop in here but can't delegate, you'll end up with anonymous
authentication to AD via NTLM.

Is it important to use the client's security context to hit AD via LDAP? If
so, you probably need to get Kerberos delegation working or convince your AD
admins to allow anonymous searches (which is not a good idea).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ollie Jones" <olliejones@xxxxxxxxx> wrote in message
news:1151605820.962422.320940@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hello Windows security experts,
I am having trouble bringing a legacy server into the world of Windows
Server 2003 domain controllers. I am probably doing something
wrongheaded.... any wisdom would be most welcome.

The server has a serviceConnectionPoint and some ExtendedRights, duly
loaded into the domain controller. The serviceConnectionPoint is
loaded as a child object of the Computer. The server impersonates the
client, loads the serviceConnectionPoint, then checks whether the
appropriate extended right has been granted. The server doesn't
actually need to DO anything except this check ("is this user
authorized to do this server function?") while impersonating the
client.

When I run this setup with a Windows 2000 domain controller it works.
But when I run it with a 2003 domain controller, it doesn't work.
Specifically, I'm calling ADsOpenObject to retrieve the
serviceConnectionPoint. I'm calling it from the thread impersonating
the client. The call works with a 2000 AD and fails with 2003 AD.

The failure code is 0x80072020, ERROR_DS_OPERATIONS_ERROR, "An
operations error occurred." What does this mean? How can I
troubleshoot it?

Here is the setup. All machines have plenty of RAM and disk space,
etc, and are on the same subnet.

My server is written in VC++ 6, with generic c++ rather than MFC. It's
running from a logged in user on an XP Pro machine; the user has local
administrator rights but is a generic domain user.

My client is a VC++ 6 / MFC ActiveX control. It is running (from a
tiny VB6 app) on a logged in user on a different XP Pro machine. The
client user doesn't have any special privileges. Client and server talk
TCP/IP to one another.

Both machines are members of the same Windows server 2003 domain. The
domain controller is configured to allow legacy (NT 4) clients as well
as modern clients.

dsquery on both machines is capable of retrieving the
serviceConnectionPoint from the AD. dsquery runas the client user on
the server machine is also capable of retrieving it.

The server accepts a connection from the client, and does an NTLM (not
Kerberos) exchange (AcceptSecurityContext, etc) with the client.
It then impersonates the client, calls ADsOpenObject, and gets the
"operations error."

If I hack the code to skip the client impersonation call, ADsOpenObject
works fine.

Thanks for reading this far! Any help understanding this would be great.

.

---

• Follow-Ups:
  • Re: Server 2003 AD, security context APIs, "operations error" ??
    • From: Ollie Jones

• References:
  • Server 2003 AD, security context APIs, "operations error" ??
    • From: Ollie Jones

• Prev by Date: Server 2003 AD, security context APIs, "operations error" ??
• Next by Date: verifying cmd.exe
• Previous by thread: Server 2003 AD, security context APIs, "operations error" ??
• Next by thread: Re: Server 2003 AD, security context APIs, "operations error" ??
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Client performance problem windows 2003 server... ... there and install an english client to be doing the errorsearching on. ... to the Windows 2000 server in site A that is a English ... >>be a DNS replication issue. ... >>results from not having a domain controller in a particular site. ... (microsoft.public.windows.server.networking) Site-tosite VPN Issue ... Windows Server 2003 domain controller ... Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP ... the VPN to the Windows Server 2003 domain controller. ... 12.7MB file from the server to the client PC. ... (microsoft.public.windows.server.networking) Re: Kerberos Error Message ... the domain controller which you reboot to alleviate the problem? ... > I know for certain there is no time difference between client and server. ... >> A good resource for troubleshooting Kerberos errors is the relatively new ... (microsoft.public.win2000.security) Re: Multiple Domain Controllers -- who takes over if one is down? ... ....If domain controller fails client may need to reboot their computer... ... We know this is the case right now and it works, so if a client reports ... > * Make sure that you have at least two servers with global catalogs role ... If only one is assigned this role and this server goes down, ... (microsoft.public.windows.server.general) Re: SAMR Communication between Client and Server ... The client and server were two separate virtual machines. ... I have setup a virtual machine of Windows NT 4 Server as a ... joined with this domain controller). ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)