4

I am using (trying to anyway) an ActiveDirectory plugin for ScrewTurn wiki called UserAuth (by "ElectricImages"). Whenever a user logs into the Wiki's login page with correct network credentials (provides domain\user and password), they get a login error and the ScrewTurn log shows the message Authentication of ...... failed: A referral was returned from the server.

If the user gives the wrong password, then the log says Authentication of ...... failed: Logon failure: unknown user name or bad password, so it seems that ActiveDirectory is in fact getting the authentication info.

What could be going wrong?

JoelFan
  • 2,165
  • 5
  • 24
  • 30
  • Are you authenticating against a server that actually is a domain controller for the domain you're authenticating to? – Massimo Sep 01 '09 at 19:06
  • Or, to be a little clearer, are you in a multi-domain environment (forest, trusts, etc.)? – Massimo Sep 01 '09 at 19:07
  • see comments in squillman's answer – JoelFan Sep 01 '09 at 19:29
  • Seen, but you didn't answer *my* question: do you have a single domain or many trusted domains? Referrals are usually returned when you try to log on to DomainA but you're talking to a domain controller for DomainB. – Massimo Sep 01 '09 at 19:31
  • The plugin is configured to connect to a certain domain (e.g. ServerFault) and the user who's trying to log in also belongs to that same domain... (e.g. ServerFault\john) – JoelFan Sep 01 '09 at 19:36
  • Can you provide a sample of the web.config AD connection string you are using in the plug-in? – Dscoduc Sep 01 '09 at 21:31

3 Answers3

5

OK, I fixed it... There were 2 problems:

  1. I needed to use the fully qualified name, e.g. Source=ServerFault.com (as suggested by squillman)

  2. I needed to change the "Anonymous Access" user in IIS to be a network user that has access to Active Directory (previously, it was a local machine user)

Thanks all who helped!

JoelFan
  • 2,165
  • 5
  • 24
  • 30
2

Directory referral messages often indicate that you're either binding to the directory in the wrong place or that you're doing some kind of cross-domain query against a server that might be in the same forest but isn't responsible for the domain in question. What are you using for the Source configuration tag? Do you have a domain controller at the site where your server is that is authoritative for that domain?

squillman
  • 37,618
  • 10
  • 90
  • 145
  • what do you mean by "binding in the wrong place"? – JoelFan Sep 01 '09 at 19:27
  • the Source tag is the same as the domain name of the users that are trying to login to the wiki... i.e. Source=ServerFault and the users are logging in to the wiki using: ServerFault\john – JoelFan Sep 01 '09 at 19:28
  • Try using the fully qualified domain name instead. So instead of Source=ServerFault, use Source=ServerFault.com – squillman Sep 01 '09 at 19:57
  • "binding in the wrong place" is actually going to be irrelevant to this issue. Typically you need to bind to a location in the directory when querying, but this plugin automatically binds. I don't see any options for configuring this. – squillman Sep 01 '09 at 20:22
1

I have seen this when when the Base DN was set to legit-looking, but non-existant DN.