• State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 12390 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial domain sync fails for DC in untrusted domain

pacman_d
over 6 years ago

Hola,

 

Ok so I have AD sync working fine from our integrated domain, but when adding a domain where there is no trust, I am having issues getting the sync to work.

Couple of notes:

  • I am able to configure the connection in the Sync editor and browse the schema
  • When configuring the Job service for the domain controller in the DMZLAB domain, I am using SQL credentials that have the appropriate perms to the OIM SQL server instance in the LAB domain.
    • Assuming that a i have to use a SQL server cred with this being a domain with out a trust to the domain that the OIM DB is installed.
  • I can see the server in the JobQueue editor and get the configuration version and and refresh the time, etc...
  • SQL server is listening on TCPIP and NamedPipes, etc.
  • Not that it should matter, but all of the appropriate SPNs are defined in the directory in the source domain for the SQL instance.

  • The DMZLAB job server is configured with Machine Roles: (Active Directory and Job Server)
  • The DMZLAB Job server is configured with Server Functions: (Active Directory Connector)

So generally, it appears that all is good with this DMZLAB job server, but when I trigger the initial sync, the Full Projection process kicks off, and after several seconds I get the following error in the DMZLAB server log:

2017-10-06 10:05:31 -04:00 - \DMZLABDCL01 - VI.Projector.JobComponent.ProjectorComponent - 533e6817-ffaf-4699-8a16-181671acbd7e: Errors occured
    [2134003] Error executing synchronization.
    [810143] Database error 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
    [System.Data.SqlClient.SqlException] Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
       at StdioProcessor.StdioProcessor._Execute(Job job)
       at VI.Projector.JobComponent.ProjectorComponent.Activate(String task)
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       ---- Start of Inner Exception ----
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       at VI.Projector.JobComponent.ProjectorComponent.get_Session()
       at VI.JobService.JobComponents.DbJobComponent.get_ConnectData()
       at VI.JobService.JobComponents.DbJobComponent._ConnectToDatabase()
       at VI.Base.SyncActions.Do[T](Func`1 function)
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       ---- Start of Inner Exception ----
       at VI.DB.DbApp.<ConnectAsync>d__5.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.Base.TaskExtensions.<Convert>d__1`2.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbSessionFactoryImpl.<CreateAsync>d__3.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<CreateAsync>d__9.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<GetAsync>d__27.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<_CreateNewBucketAsync>d__30.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<CreateAsync>d__11.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<TryInitializeAsync>d__15.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbFactoryBase.<_CreateAndOpenConnectionAsync>d__13.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalMsSqlConnection.<OpenAsync>d__17.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       ---- Start of Inner Exception ----
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Threading.Tasks.Task.Execute()
       at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
       at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass0.<TryGetConnection>b__2(Task`1 _)
       at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken)
       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
2017-10-06 10:07:00 -04:00 - Info: Requesting process steps for queue \DMZLABDCL01.
2017-10-06 10:07:00 -04:00 - Info: Last process step request succeeded.

I have also gone directly to the local server instance and reconfigured the Job service editor with the SQL connection with the local account just in case the push from designer was setting it with an integrated connection even after specifying that I want to use a SQL account.

As always, I am assuming that I am missing something here and that you guys can straighten me out. This is an important use case for us and I plan to work this through the weekend so if I can get any insights from you guys that would be terrific.

Much appreciated!

Parents
  • 0 over 6 years ago

    Hey Markus,

    I did as you requested and unfortunately the same error persists.

    I even removed and re-added the Sync project for the DMZLAB domain, and removed/re-added another connection to the DB using the SQL account.

    On the SQL server however I am seeing the service account in the DMZ domain coming inbound with the request.

    No matter what I do, it seems that the server attempts to connect to the database using the service credential.

     

    An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		DMZLAB-APP
	Account Domain:		DMZLAB

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	DMZLABDCL01
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

     

    Should I be configuring the service on the DMZLAB DC to be run as the local service account? 

     

    Not sure what I am missing here. It is counter intuitive to go through all of this configuration on the client to specifically set the service to connect to the DB using the SQL creds only to have it attempt to connect using the service account anyway.

    Anything else I may be missing here?

Reply
  • 0 over 6 years ago

    Hey Markus,

    I did as you requested and unfortunately the same error persists.

    I even removed and re-added the Sync project for the DMZLAB domain, and removed/re-added another connection to the DB using the SQL account.

    On the SQL server however I am seeing the service account in the DMZ domain coming inbound with the request.

    No matter what I do, it seems that the server attempts to connect to the database using the service credential.

     

    An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		DMZLAB-APP
	Account Domain:		DMZLAB

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	DMZLABDCL01
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

     

    Should I be configuring the service on the DMZLAB DC to be run as the local service account? 

     

    Not sure what I am missing here. It is counter intuitive to go through all of this configuration on the client to specifically set the service to connect to the DB using the SQL creds only to have it attempt to connect using the service account anyway.

    Anything else I may be missing here?

Children
No Data