0 votes

Hello,

after update to 2021.1 we have problems with an old Windows 2003 domain. The service account for the domain will rapidly locked out from the Adaxes server. What we see on the domain controller are event for Pre-authentication like:

Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 12.03.2021 Time: 13:18:31 User: NT AUTHORITY\SYSTEM Computer: AP-LEO1-DC1 Description: Pre-authentication failed: User Name: s-ADXsvc0001 User ID: xxx\s-ADXsvc0001 Service Name: krbtgt/xxx.local Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: xxx.xxx.xxx.xxx

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Are there any restrictions in 2021.1 for Managed Domain? Or how can I integrade old domains?

regards Helmut

by (510 points)

1 Answer

0 votes
by (227k points)

Hello,

Are there any restrictions in 2021.1 for Managed Domain?

No, there are no restrictions. As per our check Windows domains 2000 and 2003 work just fine in the latest version of Adaxes.

Or how can I integrade old domains?

The issue is not related to Adaxes itself and occurs because Windows 2003 domains do not support the latest Windows authentication methods by default. For information on how to remedy the issue, have a look at the following thread on Microsoft forums: https://social.technet.microsoft.com/Forums/ie/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity.

As another solution, you can try enabling Do not require Kerberos preauthentication in Account Options of the user whose credentials are specified for your managed domain.

0

Hello,

some informations more. Yesterday, I made a fresh install of Adaxes, Version 2021.1 and restored configuration from backup. After that, I was able to register the old Windows 2003 domain. In the morning, I opened Adaxes and the domain was red - The user name or password is incorrect. The PW of the account wasn't changed - what happend? All other managed domains are also unoperational. When I try to unregister the domain, I get also the above error. In the Adaxes Log I the this event:

Log Name: Adaxes Source: Adaxes Service Date: 16.03.2021 08:03:03 Event ID: 0 Task Category: None Level: Error Keywords: Classic User: N/A Computer: SMB000WSRV0004.int.sds-bs.de Description: Softerra.Adaxes.Adsi.DirectoryComException (0x8007052E): The user name or password is incorrect. (Server: apm.local) ---> System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.Initialize(NetworkCredential credential, Boolean checkData) at #7e.#9e.#Yxc() Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Adaxes Service" /> <EventID Qualifiers="0">0</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-03-16T07:03:03.913643800Z" /> <EventRecordID>1888936</EventRecordID> <Channel>Adaxes</Channel> <Computer>SMB000WSRV0004.int.sds-bs.de</Computer> <Security /> </System> <EventData> <Data>Softerra.Adaxes.Adsi.DirectoryComException (0x8007052E): The user name or password is incorrect. (Server: apm.local) ---&gt; System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.Initialize(NetworkCredential credential, Boolean checkData) at #7e.#9e.#Yxc()</Data> </EventData> </Event>

After restarting the Softera Adaxes Service, all domain are operational and I'm able to unregister the domain.

2.nd question. We have a domain where we don't have Domain Admin rights. I configured this domain according to https://www.adaxes.com/help/?HowDoI.ManageService.SkipPermissionCheckWhenRegisteringDomains.html. -> I don't find this help anymore?

regards Helmut

0

Hello Helmut,

For troubleshooting purposes, please, specify the following:

  1. What version of Adaxes did you have installed when you made the backup?
  2. Do you have multiple instances of Adaxes service sharing common configuration? For information on how to check that, have a look at the following help article: https://www.adaxes.com/help/MultiServerEnvironment. If you do, please, post here or send us (support@adaxes.com) a screenshot of the services list.
  3. When you were unable to unregister managed domains in Adaxes Administration console, what error message did you face? Please, post here or send us a screenshot if possible.
0

Hello,

thanks for the fast reply.

  1. Backup is from Version 2018.1
  2. We have a SingleServer environment
  3. user name or password is incorrect

At the moment, I installed the old version 2018.1 and it runs well against the old 2003 domain. We are in progress in migration of the 2003 domain, so we use reports - copy/paste and other functions from Adaxes. This is the last 2003 domain, all other managed domains are 2012 and higher and working well with 2021.1.

There is a new option when registering a new domain "Use SSL...", perhaps this is what leads to an error.

Enabling Do not require Kerberos preauthentication was a good tip, after that - the account wasn't Locked Out anymore.

regards Helmut

0

Hello Helmut,

The new SSL feature cannot cause such a behavior. Could you, please, specify whether the backup included credentials?

If it is possible, please, try upgrading to Adaxes 2021.1 again and should the issue occur, please, send us (support@adaxes.com) a copy of the Adaxes event log. For information on how to view the log, have a look at the following help article: https://www.adaxes.com/help/ServiceEventLog.

0

Hello,

yes backup included credentials.

At the moment, we plan to make the migration with Version 2018.1 (hopefully ended in 4 weeks). After that, we update to 2021.1 again.

Last 2021.1 Install 15.3 15:30 Beginning a Windows Installer... 15.3 15:32 Ending a Windows Installer... 15.3 15:34 Product: Softerra Adaxes 2021.1 -- Installation completed successfully 16.3 09:04 Windows Installer removed the product Softerra Adaxes 2021.1

I will send the Adaxes Logs to the support mail address.

There are a lot of other error event because of Firewall restrictions.

The domain with the problem is apm.local

regards Helmut

P.S. great pruduct, great support

0

Hello Helmut,

Thank you for the provided details and for the Event log. Once you complete the migration there should be no issues managing your domains in the latest version of Adaxes.

Thank you for your good words, it is much appreciated! Should you have any questions or need clarifications, do not hesitate to contact our Support Team.

Related questions

0 votes
1 answer

After we updated our site to 2018.1 suddenly the Password Self Service link is throwing an error: " Could not load file or assembly 'Softerra.Adaxes.Adsi, Version= ... . The system cannot find the file specified." Other interfaces are workin as expected.

asked Jul 20, 2018 by johnsonua (390 points)
0 votes
1 answer

Hey there, Our Self-Service portal is behind a reverse proxy so we can redirect something.doamin.com/password to the "Forgot password" form on self-service. With the 2018 ... is already set) and that should land on #/SelfPasswordReset vs #/SignIn Thanks, Chris

asked Aug 14, 2018 by Bowman4864 (270 points)
0 votes
1 answer

Hello, I have Adaxes installed in one forest (domain.com) and we have a 1 way forest trust with another forest (ca.domain.com). I have made the Adaxes service account in ... .com I get the same error. Could someone help me understand what I'm doing wrong?

asked Jun 6, 2016 by drew.tittle (810 points)
0 votes
1 answer

Hi all, I am receiving the following error when trying to connect to my domain using a Domain Administrator account. Any idea how to fix this? Thanks Derek

asked Dec 9, 2013 by DerekZA (50 points)
0 votes
1 answer

Hi, Following an update from Adaxes 2016 to 2021.1 we noticed that the date format on the email notifications is no longer English UK, but English US, i.e. ... every scheduled task/business rule that sends a notification and changing the variable? Thanks, Gary

asked 5 days ago by gazoco (430 points)
2,803 questions
2,535 answers
6,605 comments
62,549 users