Active Directory UDF (II)

[fuse59650]

Hello,

I have an error with the version of Windows 11 24h2, when I want to make a connection to our Active Directory with the _AD_OPEN function, it fails with a return code 8 and an extended code -2147352567. With a 23H2 no problems. I use version 1.6.1.0 of your library and I also tried with the 1.6.3.0 without success.

Authentication is initiated from a machine not connected on AD (workgroup).

Here are the call parameters:

_AD_OPEN (User, Password, "DC = AD, DC = Univ-Lille, DC = Fr", "Ad.univ-lille.fr", "CN = configuration, DC = AD, DC = Univ-Lille, DC = FR ", 1)

Sincerely

[water]

1. Can you please call _AD_ErrorNotify(2) before calling _AD_Open and post the result?
2. Which format do you use for User/Password? Details can be found in the Remarks for _AD_Open:

   _AD_Open will use the alternative credentials $sUserIdParam and $sPasswordParam if passed as parameters.
   $sUserIdParam has to be in one of the following formats (assume: domain name = Contoso, DNS domain name = Contoso.com, samAccountName = DJ, Firstname = John, Lastname = Doe)
   * Windows Login Name/SamAccountName e.g. "DJ"
   * User Principal Name: UserPrincipalName attribute e.g. "John.Doe@Contoso.com"
   * User Principal Name: sAMAccountName plus DNS name of a domain in the same forest e.g. "DJ@Contoso.com"
   * The NetBIOS domain name, followed by a backslash ("\"), followed by the value of the sAMAccountName e.g. "Contoso\DJ"

    

[fuse59650]

Hello,

I use the SAM account with the associated password.

 

[water]

As you can see from field "Description" the username or password seem to be incorrect.

On 12/13/2024 at 2:57 PM, fuse59650 said:

_AD_OPEN (User, Password, "DC = AD, DC = Univ-Lille, DC = Fr", "Ad.univ-lille.fr", "CN = configuration, DC = AD, DC = Univ-Lille, DC = FR ", 1)

Unfortunately I no longer have access to an AD environment, so I have to ask a lot of questions

Does it make any difference when you remove the excess space characters?

_AD_OPEN (User, Password, "DC=AD,DC=Univ-Lille,DC=Fr", "Ad.univ-lille.fr", "CN=configuration,DC=AD,DC=Univ-Lille, DC=FR", 1)

of when you set $iSecurity to 0?

_AD_OPEN (User, Password, "DC=AD,DC=Univ-Lille,DC=Fr", "Ad.univ-lille.fr", "CN=configuration,DC=AD,DC=Univ-Lille,DC=FR", 0)

 

Edited Monday at 06:52 PM by water

[fuse59650]

Hello,

sorry if he seems to have spaces but no there is none. I also tried with the $ iSecurity parameter at 0 (2 too) but no change. It is really with the 24H2 version because with a 23H2 client and the same parameters, no problems. I mainly use your library under Winpe to install Windows images with a personalized configuration file.

I can stay with an 23H2 image but I wanted to raise the problem. It can wait until the day when you will have access to an Active Directory environment.
Otherwise I will try to test directly with "ADO Open Method" used in the _AD_OPEN function.
 

[water]

I do not know what changed from 23H2 to 24H2 😕 But I fear I will never know because me not having access to an Active Directory is permanent 😞

Maybe you get better error information when trying the following: https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General#Error_handling
Specify the UserID as NetBIOS Login Name or User Principal Name and you will get additional information about the error.

It might be a problem of raised security requirements by MS as described here:

Here you can get more information about what changed (after 2020): https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a

Another idea: The MS Event Viewer might provide more detailed error information.

[water]

There seem to be problems with 24H2 and AD (according to Google).

UN&PW invalid (Username & Password): https://community.spiceworks.com/t/win11-24h2-breaks-ldap-authentication-for-enterprise-app/1139078/26
Solution seems to be to logon using  the NetBIOS Login Name e.g. "Your Domain\Your Userid"
(For details please see: https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General#To_current_domain)

You get more hits when telling Google to search for "active directory windows 11 24h2 authentication failed"

If the NetBIOS logon does not work I suggest to stay with 23H2 until MS fixes the problem or someone can explain what else happened (raised security requirements ...).

 

Edited Tuesday at 02:22 PM by water

[fuse59650]

Okay, thank you very much for the information, I will follow it.