CODEWITHSUNDEEP
javacoldfusionactive-directoryldap
Gary Stanton
Gary Stanton

Reputation: 1435

coldfusion.security.NTAuthentication: Error in locating groups for user XXX in domain XXX

I'm using coldfusion.security.NTAuthentication provided with ColdFusion to inteorrgate an active directory setup on a Windows SBS, with the intention of returning the groups a specific user belongs to.

On my development machine, this is working absolutely fine - however on the live machine I'm seeing the following error:

Error in locating groups for user XXX in domain XXX.

The two machines are quite different, but not in any way that I think should matter.

Here's the set up:

Dev machine

Production machine

Active directory machine

It's worth noting that while these machines aren't identical, both are able to authenticate a user via the authenticateUser() method. This suggests that the class is functioning and able to connect to the AD server without problems. I'm also able to use <cfldap> to retrieve information about a user.

Here's some very simple code:

Local.ntauth            = createObject("java", "coldfusion.security.NTAuthentication");
Local.ntauth.init('MyDomain');
Local.Authenticated     = Local.ntauth.authenticateUser('Username', 'Password'); // Returns 'YES'
Local.Groups            = Local.ntauth.GetUserGroups('Username') // Throws error

The issue isn't limited to the GetUserGroups method, a similar error occurs when attempting to use IsUserInGroup.

Can anyone help?

Upvotes: 2

Views: 298

Answers (1)

Gary Stanton
Gary Stanton

Reputation: 1435

This turned out to be an issue with Windows permissions. (Isn't everything?)

So, something I neglected to mention in the question is that the production server had been secured using the techniques detailed in the CF10 Lockdown Guide.

Part of this procedure involves creating a dedicated user for the ColdFusion service.

It seems that the GetUserGroups function worked if I used the standard 'Local System' user, but not if I used my dedicated ColdFusion user.

With a bit of help from the Process Monitor, I noticed that when the GetUserGroups function is called, a call is made to the Active Directory server to /PIPE/Samr.

When ColdFusion is running with the Local System user, this call is made by NT AUTHORITY\SYSTEM and returns a whole bunch of information - however when ColdFusion is running as the new dedicated user account, the call is made by that account and returns LOGIN FAILED.

Presumably there must be a way of granting the ColdFusion user, which is Local to the server, access to the Active Directory in such a way that a GetUserGroups call is allowed.

I'm not sure how to achieve that, so for now have reverted back to the Local System user, but I may revisit this and update my answer.

Upvotes: 2

Related Questions