0 votes

Hello,

after update to 2021.1 we have problems with an old Windows 2003 domain. The service account for the domain will rapidly locked out from the Adaxes server. What we see on the domain controller are event for Pre-authentication like:

Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 12.03.2021 Time: 13:18:31 User: NT AUTHORITY\SYSTEM Computer: AP-LEO1-DC1 Description: Pre-authentication failed: User Name: s-ADXsvc0001 User ID: xxx\s-ADXsvc0001 Service Name: krbtgt/xxx.local Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: xxx.xxx.xxx.xxx

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Are there any restrictions in 2021.1 for Managed Domain? Or how can I integrade old domains?

regards Helmut

by (510 points)

1 Answer

0 votes
by (270k points)

Hello,

Are there any restrictions in 2021.1 for Managed Domain?

No, there are no restrictions. As per our check Windows domains 2000 and 2003 work just fine in the latest version of Adaxes.

Or how can I integrade old domains?

The issue is not related to Adaxes itself and occurs because Windows 2003 domains do not support the latest Windows authentication methods by default. For information on how to remedy the issue, have a look at the following thread on Microsoft forums: https://social.technet.microsoft.com/Forums/ie/en-US/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a/eventid-675-failure-code-0x19-windows-server-2003-as-dc-windows-server-2008-as-member-server?forum=winserversecurity.

As another solution, you can try enabling Do not require Kerberos preauthentication in Account Options of the user whose credentials are specified for your managed domain.

0

Hello,

some informations more. Yesterday, I made a fresh install of Adaxes, Version 2021.1 and restored configuration from backup. After that, I was able to register the old Windows 2003 domain. In the morning, I opened Adaxes and the domain was red - The user name or password is incorrect. The PW of the account wasn't changed - what happend? All other managed domains are also unoperational. When I try to unregister the domain, I get also the above error. In the Adaxes Log I the this event:

Log Name: Adaxes Source: Adaxes Service Date: 16.03.2021 08:03:03 Event ID: 0 Task Category: None Level: Error Keywords: Classic User: N/A Computer: SMB000WSRV0004.int.sds-bs.de Description: Softerra.Adaxes.Adsi.DirectoryComException (0x8007052E): The user name or password is incorrect. (Server: apm.local) ---> System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.Initialize(NetworkCredential credential, Boolean checkData) at #7e.#9e.#Yxc() Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Adaxes Service" /> <EventID Qualifiers="0">0</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-03-16T07:03:03.913643800Z" /> <EventRecordID>1888936</EventRecordID> <Channel>Adaxes</Channel> <Computer>SMB000WSRV0004.int.sds-bs.de</Computer> <Security /> </System> <EventData> <Data>Softerra.Adaxes.Adsi.DirectoryComException (0x8007052E): The user name or password is incorrect. (Server: apm.local) ---&gt; System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid. at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.#Jyc(NetworkCredential credential) at Softerra.Adaxes.Directory.Configuration.ManagedDomain.Initialize(NetworkCredential credential, Boolean checkData) at #7e.#9e.#Yxc()</Data> </EventData> </Event>

After restarting the Softera Adaxes Service, all domain are operational and I'm able to unregister the domain.

2.nd question. We have a domain where we don't have Domain Admin rights. I configured this domain according to https://www.adaxes.com/help/?HowDoI.ManageService.SkipPermissionCheckWhenRegisteringDomains.html. -> I don't find this help anymore?

regards Helmut

0

Hello Helmut,

For troubleshooting purposes, please, specify the following:

  1. What version of Adaxes did you have installed when you made the backup?
  2. Do you have multiple instances of Adaxes service sharing common configuration? For information on how to check that, have a look at the following help article: https://www.adaxes.com/help/MultiServerEnvironment. If you do, please, post here or send us (support@adaxes.com) a screenshot of the services list.
  3. When you were unable to unregister managed domains in Adaxes Administration console, what error message did you face? Please, post here or send us a screenshot if possible.
0

Hello,

thanks for the fast reply.

  1. Backup is from Version 2018.1
  2. We have a SingleServer environment
  3. user name or password is incorrect

At the moment, I installed the old version 2018.1 and it runs well against the old 2003 domain. We are in progress in migration of the 2003 domain, so we use reports - copy/paste and other functions from Adaxes. This is the last 2003 domain, all other managed domains are 2012 and higher and working well with 2021.1.

There is a new option when registering a new domain "Use SSL...", perhaps this is what leads to an error.

Enabling Do not require Kerberos preauthentication was a good tip, after that - the account wasn't Locked Out anymore.

regards Helmut

0

Hello Helmut,

The new SSL feature cannot cause such a behavior. Could you, please, specify whether the backup included credentials?

If it is possible, please, try upgrading to Adaxes 2021.1 again and should the issue occur, please, send us (support@adaxes.com) a copy of the Adaxes event log. For information on how to view the log, have a look at the following help article: https://www.adaxes.com/help/ServiceEventLog.

0

Hello,

yes backup included credentials.

At the moment, we plan to make the migration with Version 2018.1 (hopefully ended in 4 weeks). After that, we update to 2021.1 again.

Last 2021.1 Install 15.3 15:30 Beginning a Windows Installer... 15.3 15:32 Ending a Windows Installer... 15.3 15:34 Product: Softerra Adaxes 2021.1 -- Installation completed successfully 16.3 09:04 Windows Installer removed the product Softerra Adaxes 2021.1

I will send the Adaxes Logs to the support mail address.

There are a lot of other error event because of Firewall restrictions.

The domain with the problem is apm.local

regards Helmut

P.S. great pruduct, great support

0

Hello Helmut,

Thank you for the provided details and for the Event log. Once you complete the migration there should be no issues managing your domains in the latest version of Adaxes.

Thank you for your good words, it is much appreciated! Should you have any questions or need clarifications, do not hesitate to contact our Support Team.

Related questions

0 votes
1 answer

After we updated our site to 2018.1 suddenly the Password Self Service link is throwing an error: " Could not load file or assembly 'Softerra.Adaxes.Adsi, Version= ... . The system cannot find the file specified." Other interfaces are workin as expected.

asked Jul 20, 2018 by johnsonua (390 points)
0 votes
1 answer

Since all the old groups are deleted when a function is changed, we have created an after update for each function so that the user is added to the same groups as if it ... Or is it possible to run an after update that queries all the after creates? thank you

asked Jun 9, 2023 by DRiVSSi (240 points)
0 votes
1 answer

We are attempting to update from 2021.1 version 3.14.20916.0 to the most current version - 3.14.21404.0. We have two servers in a multiserver configuration once ... Adaxes Service reverts to the previous server that no longer exists and displays the error.

asked Sep 1, 2023 by awooten (40 points)
0 votes
1 answer

Hey there, Our Self-Service portal is behind a reverse proxy so we can redirect something.doamin.com/password to the "Forgot password" form on self-service. With the 2018 ... is already set) and that should land on #/SelfPasswordReset vs #/SignIn Thanks, Chris

asked Aug 14, 2018 by Bowman4864 (270 points)
0 votes
1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)
3,326 questions
3,025 answers
7,723 comments
544,673 users