|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Intermittent login issueWe are using MBS Business Portal 2.5 on a 2003 server (also domain controller). We are using Basic authentication with SSL. (Integrated Authentication is not an option due to clients not being part of the Windows domain). We also have a Novell NDS network and sync accounts to AD using Novell's LDAP Identity Manager product. Generally this has been working great. I have seen a few cases when a user changes their Novell password they either, cannot log in to Business Portal, or their previous password still works. They get 401.1 and 401.2 IIS errors. I've tried recreating their AD accounts, manually resetting their passwords in AD, recyncing the account from Novell, recreating their Business Portal accounts, and logging onto the domain as them from a client PC (that is a member of the domain). All of these seem to work on occasion. I'm having a problem narrowing down the problem. The fix that works most of the time is logging onto the domain as the user. Then IIS accepts the new password. Can anybody explain why IIS does not accept a new password but AD does? Any ideas where the failure is ocurring? I don't think the problem is Novell or Identity Manager due to no errors in the logs and the fact that most users work just fine. My suspicion is that IIS user token cache (I think it is 15 minutes timeout)
is momentarily stale relative to your password change. IIS does not get a callback when user account properties change in AD so it does not know when to flush user token cache. And since the password change happens in Novell, there is another time-period before it sync's to Active Directory. Does the issue persist >15 minutes after user account changes in Novell has sync'd to AD? -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Bill" <B***@discussions.microsoft.com> wrote in message news:E14D94AA-E204-4F8F-BEA8-5AB3F1AD7015@microsoft.com... > Hello, > > We are using MBS Business Portal 2.5 on a 2003 server (also domain > controller). We are using Basic authentication with SSL. (Integrated > Authentication is not an option due to clients not being part of the > Windows > domain). We also have a Novell NDS network and sync accounts to AD using > Novell's LDAP Identity Manager product. > > Generally this has been working great. I have seen a few cases when a > user > changes their Novell password they either, cannot log in to Business > Portal, > or their previous password still works. They get 401.1 and 401.2 IIS > errors. > > I've tried recreating their AD accounts, manually resetting their > passwords > in AD, recyncing the account from Novell, recreating their Business Portal > accounts, and logging onto the domain as them from a client PC (that is a > member of the domain). All of these seem to work on occasion. I'm having > a > problem narrowing down the problem. The fix that works most of the time > is > logging onto the domain as the user. Then IIS accepts the new password. > > Can anybody explain why IIS does not accept a new password but AD does? > Any > ideas where the failure is ocurring? > > I don't think the problem is Novell or Identity Manager due to no errors > in > the logs and the fact that most users work just fine. > David,
One user that changed his password at about 8:00am one day was using his old password the entire day to log in to Business Portal but he was logging in to Novell using his new password. I've tested other accounts myself and the log in to Business Portal failed for quite sometime. Show quoteHide quote "David Wang [Msft]" wrote: > My suspicion is that IIS user token cache (I think it is 15 minutes timeout) > is momentarily stale relative to your password change. IIS does not get a > callback when user account properties change in AD so it does not know when > to flush user token cache. And since the password change happens in Novell, > there is another time-period before it sync's to Active Directory. > > Does the issue persist >15 minutes after user account changes in Novell has > sync'd to AD? > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > > "Bill" <B***@discussions.microsoft.com> wrote in message > news:E14D94AA-E204-4F8F-BEA8-5AB3F1AD7015@microsoft.com... > > Hello, > > > > We are using MBS Business Portal 2.5 on a 2003 server (also domain > > controller). We are using Basic authentication with SSL. (Integrated > > Authentication is not an option due to clients not being part of the > > Windows > > domain). We also have a Novell NDS network and sync accounts to AD using > > Novell's LDAP Identity Manager product. > > > > Generally this has been working great. I have seen a few cases when a > > user > > changes their Novell password they either, cannot log in to Business > > Portal, > > or their previous password still works. They get 401.1 and 401.2 IIS > > errors. > > > > I've tried recreating their AD accounts, manually resetting their > > passwords > > in AD, recyncing the account from Novell, recreating their Business Portal > > accounts, and logging onto the domain as them from a client PC (that is a > > member of the domain). All of these seem to work on occasion. I'm having > > a > > problem narrowing down the problem. The fix that works most of the time > > is > > logging onto the domain as the user. Then IIS accepts the new password. > > > > Can anybody explain why IIS does not accept a new password but AD does? > > Any > > ideas where the failure is ocurring? > > > > I don't think the problem is Novell or Identity Manager due to no errors > > in > > the logs and the fact that most users work just fine. > > > > > I presume your user accounts are in Novell.
When does Novell LDAP Identity Manager synchronize the password change into Active Directory, and prove that it happened at that time. You seem to indicate that one user changed his password at 8am one day and it never synchronized into Active Directory that entire day... because he was using his old password to log in to Business Portal (which is talking back to Active Directory. Which means that Novell had the new password but Active Directory still had the old password... -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Bill" <B***@discussions.microsoft.com> wrote in message news:4530E594-BD99-49D2-B3BA-2631E64A468F@microsoft.com... > David, > > One user that changed his password at about 8:00am one day was using his > old > password the entire day to log in to Business Portal but he was logging in > to > Novell using his new password. I've tested other accounts myself and the > log > in to Business Portal failed for quite sometime. > > "David Wang [Msft]" wrote: > >> My suspicion is that IIS user token cache (I think it is 15 minutes >> timeout) >> is momentarily stale relative to your password change. IIS does not get a >> callback when user account properties change in AD so it does not know >> when >> to flush user token cache. And since the password change happens in >> Novell, >> there is another time-period before it sync's to Active Directory. >> >> Does the issue persist >15 minutes after user account changes in Novell >> has >> sync'd to AD? >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> >> "Bill" <B***@discussions.microsoft.com> wrote in message >> news:E14D94AA-E204-4F8F-BEA8-5AB3F1AD7015@microsoft.com... >> > Hello, >> > >> > We are using MBS Business Portal 2.5 on a 2003 server (also domain >> > controller). We are using Basic authentication with SSL. (Integrated >> > Authentication is not an option due to clients not being part of the >> > Windows >> > domain). We also have a Novell NDS network and sync accounts to AD >> > using >> > Novell's LDAP Identity Manager product. >> > >> > Generally this has been working great. I have seen a few cases when a >> > user >> > changes their Novell password they either, cannot log in to Business >> > Portal, >> > or their previous password still works. They get 401.1 and 401.2 IIS >> > errors. >> > >> > I've tried recreating their AD accounts, manually resetting their >> > passwords >> > in AD, recyncing the account from Novell, recreating their Business >> > Portal >> > accounts, and logging onto the domain as them from a client PC (that is >> > a >> > member of the domain). All of these seem to work on occasion. I'm >> > having >> > a >> > problem narrowing down the problem. The fix that works most of the >> > time >> > is >> > logging onto the domain as the user. Then IIS accepts the new >> > password. >> > >> > Can anybody explain why IIS does not accept a new password but AD does? >> > Any >> > ideas where the failure is ocurring? >> > >> > I don't think the problem is Novell or Identity Manager due to no >> > errors >> > in >> > the logs and the fact that most users work just fine. >> > >> >> >> 
Other interesting topics
problem: SSL certificate associated with website in IIS changes upon reboot
Install SSL on Default Website Affects Other websites??? Application Pool timouts. IIS6 and Integrated Security problem Problems with IIS6 / SSL Locking down FPSE HELP!!! - Our images pulled from other servers Lock user in website folder Outlook web access IIS suddenly wants login? |
|||||||||||||||||||||||
