Authenticating Against Multiple Domain Controllers

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating Against Multiple Domain Controllers

Armen.Yampolsky

Hello,
 
We have a network with no WINS servers, and two domain controllers. The primary occasionally goes down. What are the correct set of jcifs parameters to use if we want to be able to cycle among the two DC's, and automatically use the secondary if the primary goes down (and vice-versa)? As has been noted on this list before, the following does not seem to work:
 
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>dc1, dc2</param-value>
</init-param>
 
Many thanks,
-Armen
 

______________________________________________________________________
Confidentiality Notice: The information in this e-mail and any attachment(s) is confidential and for the use of the addressee(s) only. If you have received this e-mail in error, please delete this e-mail. Unauthorized use, reliance, disclosure or copying of the contents of this e-mail, or any similar action, is prohibited.

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating Against Multiple Domain Controllers

Michael B Allen-4
On Thu, 22 Jun 2006 18:17:43 -0400
[hidden email] wrote:

> ___
> Hello,
>  
> We have a network with no WINS servers, and two domain controllers. The primary occasionally goes down. What are the correct set of jcifs parameters to use if we want to be able to cycle among the two DC's, and automatically use the secondary if the primary goes down (and vice-versa)? As has been noted on this list before, the following does not seem to work:

Can't do it without WINS.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Reply | Threaded
Open this post in threaded view
|

RE: Authenticating Against Multiple Domain Controllers

Tapperson Kevin
In reply to this post by Armen.Yampolsky
We have implemented some custom handling in the NtlmHttpFilter class to
achieve this.  I have attached a few of the pertinent classes from our
customizations.  We made these customizations in our own code and left
the jcifs implementation untouched.  These customizations could be
included in the jcifs code and may become a little cleaner if so.

We were first prompted to make these customizations because we found
that our WINS servers have bad addresses in them.  It appears that
Microsoft products implement some type of retry logic around the WINS
lookup of a DC.  Our directory services team refused to make any effort
to keep the WINS records clean with only good DCs.  Apparently, only
jcifs suffers from having bad DCs in the WINS records?

Following this, we tried switching to using DNS in jcifs.  This too had
the same issues.  Our DNS entries for the DCs had bad addresses in them.
The bad addresses were for DCs that were down for maintenance, rogue
DCs, and 169.254.x.x addresses (DHCP auto configure).  We have had
problems with rogue DCs on our network since the Microsoft Outlook
server has some sort of requirement that it act as a DC.  As our e-mail
services team plays with their Outlook servers, they would register
themselves as DCs even though they may not actually contain any
directory information.  It turns out that some of our DCs have multiple
network adapters some of which are enabled but not plugged in to
anything.  When the DC reboots, it attempts to get a DHCP address for
those enabled but disconnected adapters and fails, but proceeds to
register the 169.254.x.x address with DNS.  Again, our directory
services team refused to make any effort to keep the DNS records clean
with only good DCs in them.  (We also had this same issue with our LDAP
access to the directory since it uses DNS.  We have since implemented a
similar solution for LDAP.)  I'll stop griping about our directory
services team now and get on with the solution.

In the attached code, the following properties control the DC lookup:

The set of allowed domains must be configured; only those domains which
are listed in the properties (and set to true) are supported.  (This
prevents users who login locally to their machine rather that to the
domain from attempting authentication.)  You should enable both the
NETBIOS name and the DNS name for the domain.  For example:
        domain.allowed.DOMAIN1=true
        domain.allowed.domain1.yourdomain.tld=true

Each enabled domain can be configured to point to a DNS entry.  Ideally,
this would be a round robin DNS entry with all of the DCs in your
domain.  For example:
        domain.dns.DOMAIN1=domain1.yourdomain.tld
        domain.dns.domain1.yourdomain.tld=domain1.yourdomain.tld

You can also specify an explicit list of DCs for each enabled domain.
The list of DCs here is converted to an internally managed round robin
list.  The entries in this list can either be DNS names, IP addresses,
NETBIOS names or a mix of them.  For example:
        domain.controllers.DOMAIN1=dc1.domain1.yourdomain.tld, 1.2.3.4,
DC1
       
domain.controllers.domain1.yourdomain.tld=dc1.domain1.yourdomain.tld,
1.2.3.4, DC1

You can specify the # of retries to use in trying to locate a good DC:
        retries=3

You can specify a timeout value for which a "bad" DC is removed from the
internally managed round robin DNS list:
        bad.host.timeout=300000

You can specify whether to use WINS or DNS for lookups:
        use.wins=false


The getDomainController(String domain) method looks up a domain
controller for the specified domain using the following logic.
        get the domain.controllers.<domain> list for the specified
domain
        if the explicit list of DCs is defined for the domain (and its
not empty), then use the defined list
                get the first entry from the list of DCs
                if the use.wins flag is true AND the entry does not
contain a '.'
                        use a WINS server query to lookup the address
for the entry
                else
                        use DNS to lookup the address for the entry
        else
                get the domain.dns.<domain> property for the specified
domain
                if the use.wins flag is true OR the domain.dns.<domain>
property is not set
                        use a WINS 0x1C query to lookup a DC address for
the domain
                else
                        use DNS to lookup a DC address for the domain

If the getDomainController method finds a "bad" DC, it flags it as bad
and removes it from the internally managed round robin DNS list for the
length of time specified by the bad.host.timeout property.  After that,
the "bad" DC is reinstated into the round robin DNS list and tried again
for subsequent requests.


-----Original Message-----
From: jcifs-bounces+kevin.tapperson=[hidden email]
[mailto:jcifs-bounces+kevin.tapperson=[hidden email]]
On Behalf Of Michael B Allen
Sent: Thursday, June 22, 2006 6:53 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [jcifs] Authenticating Against Multiple Domain Controllers

On Thu, 22 Jun 2006 18:17:43 -0400
[hidden email] wrote:

> ___
> Hello,
>  
> We have a network with no WINS servers, and two domain controllers.
The primary occasionally goes down. What are the correct set of jcifs
parameters to use if we want to be able to cycle among the two DC's, and
automatically use the secondary if the primary goes down (and
vice-versa)? As has been noted on this list before, the following does
not seem to work:

Can't do it without WINS.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/

NTLMType1Agent.java (5K) Download Attachment
config.properties (1K) Download Attachment
DNSRoundRobinList.java (4K) Download Attachment
NTLMConfig.java (14K) Download Attachment