D-Link Forums

The Graveyard - Products No Longer Supported => D-Link Storage => DNS-343 => Topic started by: hilaireg on September 23, 2009, 03:20:39 PM

Title: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: hilaireg on September 23, 2009, 03:20:39 PM
Hi All,

After some research, I've succeeded in getting 'Active Directory' functionality to work with F/W 1.03 & ADS Package 1.0.   I've managed to accomplish some connectivity (authentication) by configuring the Device Settings with:


Username  : DNSAdmin              <A/D Account /w Domain priviledges>
Password  : DNS343b4605a!
DNS1      : Provided via DHCP     <A/D Integrated>
DNS2      : Provided via DHCP     <A/D Integrated>
Host Name : DNSTORNAS01
Workgroup : TERRAFLORA
Realm Name: CORP.TERRAFLORA.COM   <internal A/D domain, NetBIOS is terraflora>
AD Server : DC1terraflora01



Note that the DNS-343 and test workstation were restarted between tests.


TESTS:

1) Behavior when selecting Active Directory as the Network Type so as to allow the DNS-343 to join the domain:

   RESULT:


  'Microsoft Windows Network'



2) Behavior when attempting to connect using DC1TERRAFLORA (Domain Controller, LMCompatibilityLevel=2):

   RESULT:


   EXPECTED BEHAVIOR:



3) Behavior when attempting to connect using a domain workstation (LMCompatibilityLevel=0, LMCompatibilityLevel=2, and/or LMCompatibilityLevel=3):

   RESULT:


   EXPECTED BEHAVIOR:



4) Behavior when attempting to connect by mapping the resource using a command prompt:

   NET USE X: \\DNSTORNAS01\Volume_1 /USER:<username> *
   NET USE X: \\###.###.###.###\Volume_1 /USER:<username> *


   RESULT:



5) Account Name/Password supplied at prompts throughout the tests:

   RESULT:

     Username: <REALM>\<username>    (ex: CORP\Administrator)
     Password: <password>            (ex: DNS343b4605a!)


   EXPECTED BEHAVIOR:

     Username: <WORKGROUP>\<username>   (ex: TERRAFLORA\Administrator)
     Password: <password>               (ex: DNS343b4605a!)



In summary, there continues to be an issue with prompting for username/password when initially double-clicking the DNS-343 object from 'Microsoft Windows Network'.  Additionally, there appears to be and issue with the credentials that need to be passed for authentication; in my tests, I should have had to supply TERRAFLORA\<username> and not CORP\<username>.


Cheers,
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: Jacques Amar on September 24, 2009, 12:08:02 PM
I am using Windows 7 x64 (MSDN RTM version) / Win2K8 ADS

DNS-343 gets the full user/group info correctly from server. However, I connot get authenticated for any usage. Neither from xmd prompt (NET USE) or Explorer (Map drive).

Error on cmd:
"Type the password for \\dlink-343\Volume_1:
System error 1326 has occurred.

Logon failure: unknown user name or bad password."

Explorer gives:
"... No process is on the other end of the pipe"

I'm using FW 1.03 with ADS 1.0

Any suggestion as to what I'm doing wrong? Or is this still a known bug?
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: hilaireg on September 24, 2009, 02:05:03 PM
What user name are you trying to pass?

If you are trying to use the NetBIOS (ex: TERRAFLORA\<username>) it will not authenticate.  Try using the first portion of the Realm Name.  For example, if the Realm Name is CORP.TERRAFLORA.COM, try using CORP\<username>.

If it's still fails, verify your DNS forward/reverse entries.

I assume the DNS is PING'able.

HTH,
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: D-Link Multimedia on September 24, 2009, 02:59:10 PM
Quote from: Jacques Amar on September 24, 2009, 12:08:02 PM
I am using Windows 7 x64 (MSDN RTM version) / Win2K8 ADS

Unfortunately we don't support 2008 yet. We are working on it =\.
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: Jacques Amar on September 24, 2009, 11:28:41 PM
Quote from: hilaireg on September 24, 2009, 02:05:03 PM
...
If you are trying to use the NetBIOS (ex: TERRAFLORA\<username>) it will not authenticate.  Try using the first portion of the Realm Name.  For example, if the Real Name is CORP.TERRAFLORA.COM, try using CORP\<username>.
....

Yes, I saw that subtle distinction and tried it. No love. I guess I need to wait for ADS module to work with Win2K8 ADS

Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: chaicka on September 27, 2009, 10:29:31 AM
Quote from: D-Link Multimedia on September 24, 2009, 02:59:10 PM
Unfortunately we don't support 2008 yet. We are working on it =\.

No wonder I am still facing problem with authentication. My AD forest is now on Native Win2008 mode.
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: synopsys on October 16, 2009, 07:25:06 AM
have you any idea when the support of AD2008 and AD2008R2 are ok? I need it!!!
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: njoylif on November 17, 2009, 07:40:36 AM
Yea, I can connect with my win2k8 server to the DNS when logged into that machine through AD (logged in via domain user).
when I try my win7, I'm logged in locally and can't connect via any attempt/combo of the above.
can't wait until 7 is supported with AD.
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: njoylif on November 17, 2009, 09:30:41 AM
is there a way to log in using local users while still allowing AD authentication?  That would at least allow a temporary work-around...
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: slackeruh on November 23, 2009, 01:24:27 PM
I believe this is the solution to the problem.  Windows 7 and the DNS-343 are not using the same authentication level.

Open up the local security policy by running secpol.msc

Navigate to Local Policies -> Security Policies

Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.

I found the information here...
http://www.mostlyoperational.com/?p=86
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: hilaireg on November 26, 2009, 04:19:06 PM
@slackeruh:

Relaxing the LAN Manager Authentication Level addresses the immediate connectivity issues discovered for Windows 7 and exposes an additional problem, above the ones I noted, with the ADS 1.0 package.


@D-Link Engineering:

Have you had an opportunity to make any progress on an updated version of the ADS package?


Regards,
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: ITF1 on December 15, 2009, 12:38:07 AM
Quote from: hilaireg on November 26, 2009, 04:19:06 PM
@slackeruh:

Relaxing the LAN Manager Authentication Level addresses the immediate connectivity issues discovered for Windows 7 and exposes an additional problem, above the ones I noted, with the ADS 1.0 package.


@D-Link Engineering:

Have you had an opportunity to make any progress on an updated version of the ADS package?


Regards,
Hello,
any progress on this one? Server 2008 is not really a new product and it is hard to understand why it is not supported by a device which obviously aiming at the SOHO / SMB Market.
Regards
Anthony
Title: Re: ADS 1.0: Active Directory & Authentication Partially Broken
Post by: hilaireg on December 17, 2009, 03:01:29 PM
There hasn't been much response from D-Link Engineering on this one.  I'm not certain if the silence should be taken as "will not fix", "we're so busy on projects it isn't funny any more", or "we're working on it ... but we're so busy on projects it isn't funny any more"

 ;)


In any case, a quick response from their side would be most appreciated.

Cheers,