M
Markus Geiger
Hi everybody!
A customer of ours operates an AD with one domain and a couple of subdomains
spread over few dozens AD-Servers across their intranet. On one of the member
servers (W2003) in their HQ there is an application that authenticates users
from several sub domains against the respective AD-Servers (W2000). For users
from some of the subdomains, the authentication works, for at least three of
the subdomains the authentication fails.
I do not have source code access for this application but I captured the
network traffic and it seems like the SamrOpenUser request gets a c0000022
(STATUS_ACCESS_DENIED) response from the subdomain controllers.
We checked the ACL on the "user" object in the AD - it had sufficient access
rights for a read access set. Also, a object access audit on the AD "user"
object showed no failure.
What other settings can cause a STATUS_ACCESS_DENIED response for the
SamrOpenUser request?
A customer of ours operates an AD with one domain and a couple of subdomains
spread over few dozens AD-Servers across their intranet. On one of the member
servers (W2003) in their HQ there is an application that authenticates users
from several sub domains against the respective AD-Servers (W2000). For users
from some of the subdomains, the authentication works, for at least three of
the subdomains the authentication fails.
I do not have source code access for this application but I captured the
network traffic and it seems like the SamrOpenUser request gets a c0000022
(STATUS_ACCESS_DENIED) response from the subdomain controllers.
We checked the ACL on the "user" object in the AD - it had sufficient access
rights for a read access set. Also, a object access audit on the AD "user"
object showed no failure.
What other settings can cause a STATUS_ACCESS_DENIED response for the
SamrOpenUser request?