• State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 12037 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Initial domain sync fails for DC in untrusted domain

pacman_d
over 6 years ago

Hola,

 

Ok so I have AD sync working fine from our integrated domain, but when adding a domain where there is no trust, I am having issues getting the sync to work.

Couple of notes:

  • I am able to configure the connection in the Sync editor and browse the schema
  • When configuring the Job service for the domain controller in the DMZLAB domain, I am using SQL credentials that have the appropriate perms to the OIM SQL server instance in the LAB domain.
    • Assuming that a i have to use a SQL server cred with this being a domain with out a trust to the domain that the OIM DB is installed.
  • I can see the server in the JobQueue editor and get the configuration version and and refresh the time, etc...
  • SQL server is listening on TCPIP and NamedPipes, etc.
  • Not that it should matter, but all of the appropriate SPNs are defined in the directory in the source domain for the SQL instance.

  • The DMZLAB job server is configured with Machine Roles: (Active Directory and Job Server)
  • The DMZLAB Job server is configured with Server Functions: (Active Directory Connector)

So generally, it appears that all is good with this DMZLAB job server, but when I trigger the initial sync, the Full Projection process kicks off, and after several seconds I get the following error in the DMZLAB server log:

2017-10-06 10:05:31 -04:00 - \DMZLABDCL01 - VI.Projector.JobComponent.ProjectorComponent - 533e6817-ffaf-4699-8a16-181671acbd7e: Errors occured
    [2134003] Error executing synchronization.
    [810143] Database error 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
    [System.Data.SqlClient.SqlException] Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
       at StdioProcessor.StdioProcessor._Execute(Job job)
       at VI.Projector.JobComponent.ProjectorComponent.Activate(String task)
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       ---- Start of Inner Exception ----
       at VI.Projector.JobComponent.ProjectorComponent._FullProjection()
       at VI.Projector.JobComponent.ProjectorComponent.get_Session()
       at VI.JobService.JobComponents.DbJobComponent.get_ConnectData()
       at VI.JobService.JobComponents.DbJobComponent._ConnectToDatabase()
       at VI.Base.SyncActions.Do[T](Func`1 function)
       at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       ---- Start of Inner Exception ----
       at VI.DB.DbApp.<ConnectAsync>d__5.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.Base.TaskExtensions.<Convert>d__1`2.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbSessionFactoryImpl.<CreateAsync>d__3.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<CreateAsync>d__9.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<GetAsync>d__27.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool.<_CreateNewBucketAsync>d__30.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<CreateAsync>d__11.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionPool._Bucket.<TryInitializeAsync>d__15.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.DbFactoryBase.<_CreateAndOpenConnectionAsync>d__13.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalMsSqlConnection.<OpenAsync>d__17.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       ---- Start of Inner Exception ----
       at VI.DB.DataAccess.PhysicalConnectionBase.<OpenAsync>d__16.MoveNext()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    --- End of stack trace from previous location where exception was thrown ---
       at System.Threading.Tasks.Task.Execute()
       at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
       at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass0.<TryGetConnection>b__2(Task`1 _)
       at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken)
       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
2017-10-06 10:07:00 -04:00 - Info: Requesting process steps for queue \DMZLABDCL01.
2017-10-06 10:07:00 -04:00 - Info: Last process step request succeeded.

I have also gone directly to the local server instance and reconfigured the Job service editor with the SQL connection with the local account just in case the push from designer was setting it with an integrated connection even after specifying that I want to use a SQL account.

As always, I am assuming that I am missing something here and that you guys can straighten me out. This is an important use case for us and I plan to work this through the weekend so if I can get any insights from you guys that would be terrific.

Much appreciated!

  • 0 over 6 years ago
    Your sync project is configured to use Windows Integrated authentication for the OneIM connection. Open your sync project and click on the One Identity Manager connection and Edit connection. Change the connection settings to use your SQL credentials. Save the project and check if it needs to be reactivated.

    That should do the trick.
  • 0 over 6 years ago

    Hey Markus,

    I did as you requested and unfortunately the same error persists.

    I even removed and re-added the Sync project for the DMZLAB domain, and removed/re-added another connection to the DB using the SQL account.

    On the SQL server however I am seeing the service account in the DMZ domain coming inbound with the request.

    No matter what I do, it seems that the server attempts to connect to the database using the service credential.

     

    An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		DMZLAB-APP
	Account Domain:		DMZLAB

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	DMZLABDCL01
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

     

    Should I be configuring the service on the DMZLAB DC to be run as the local service account? 

     

    Not sure what I am missing here. It is counter intuitive to go through all of this configuration on the client to specifically set the service to connect to the DB using the SQL creds only to have it attempt to connect using the service account anyway.

    Anything else I may be missing here?

  • 0 over 6 years ago
    In regards to the OneIM database connection of a sync project, only the connection information in the sync project for the OneIM connector is responsible for connecting.

    Again, use edit connection for the One IM connection and check that a SQL user is used.

    By the way, which version are you using?
  • +1 over 6 years ago
    I could be WAY off here ... but in Designer -> Base Data -> Databases -> Main Database -> Settings -> Connection parameter ... do you see the SQL connection string as being a Windows Authentication-based connection (instead of SQL authentication)? I've seen sometimes that the string you see there in the Designer is the one that is used by the job service sometimes. Again, I could be way off, but maybe that's what should be changed (might want to confirm with Markus first though, since he's the expert).

    Matt
  • 0 over 6 years ago
    Hey Markus,

    I am running 7.1 SP2. I am running through the entire config again to scrub anything that may be remotely directory integrated.

    Hey Matt,

    I will check that as well.

    THanks
  • 0 over 6 years ago
    Ok so no luck,

    I think I am going to need to tear this down and start over. Very frustrating.

    I have gone through every tool and made certain that they are configured to use local SQL auth, have changed every sync job to the same, and even gone back into the job servers and manually configured the job servcice config to use the local SQL account to connect to the DB.

    Seems pretty straight forward but there is definitely something off about this configuration and I can’t seem to get my head around what could be wrong.

    I can still connect to all of the DCs and browse the objects with the editor, and I can execute syncs on the DC that is in the Lab.com domain, but no matter what I do the dmzlab.com DC fails to sync and attempts to connect to the DB using the DMZLAB service account.

    I will give this one more shot in the morning, after which I will stick a fork in it.

    :)

    Thanks for your ideas, each and every one seemed plausible but so far no love.

    Could be that I am losing my war with attrition and need to step away for a bit.

    Thanks again.
  • +1 over 6 years ago
    I think Matt could be right. Check the Job parameters in the job queue. I think the connection string should contain the integrated authentication. As this is 7.1 SP2 you can configure a special authentication setting for this job service in Designer.

    Version before 7.1.1 always used the settings from DialogDatabase as Matt wrote. We added the configurable connection to support AppServer connections for process steps that need a database connection.

    The process step needs to load the sync project from the database and this seems to fail in your case.
  • 0 over 6 years ago
    Oh man,

    I could kiss you both..

    That was TOTALLy the problem.

    SO glad I didn't dismantle and start over. I was dreading that.

    It is past the point of error now so I am confident that the job service has past the point of erroring out.

    I do see a warning in the log on the DMZLAB DC log however that maybe you could tell me if I should be concerned about.

    2017-10-07 09:12:18 -04:00 - Warning: There is no process assembly for table ADSGroupInADSGroup (triggering event Insert).

    Not an error but I would like to understand if this is another indication that I may be off on a configuration item somewhere.

    Thanks again, you guys are THE BEST...
  • 0 over 6 years ago
    BOOOM.

    Matty Muise sounds like an all star baseball hitter name. And for me, you are JUST THAT.

    THanks man.
  • 0 over 6 years ago
    Ok so another question unfortunately.

    While the inbound sync is executing ok now without issues, there are groups that are being imported into the ADSGroup table with some odd SAMACCOUNTNAME values.

    In the directory, the SAMACCOUNTNAME is properly formatted, but in the database, it is some odd characters starting with a $..

    For instance:

    SAMACCOUNTNAME in the directory: Server - Local - Administrators

    SAMACCOUNTNAME in the ADSGroup table: $2C1000-8NDN5MVLEKD9

    The CN is fine, just the SAMACCOUNTNAME.


    I even deleted all of the Groups from the database and imported again, same result.

    Any ideas?