Tuesday, November 10, 2009

Why my head sometimes wants to explode

I found out the following the hard way today.

Right now we are in the middle of an Active Directory migration. I have Windows computers in our classrooms that authenticate to the old SunONE LDAP using an open-source product called pGina. The computers are joined to the domain, but most users don't have domain accounts yet.

A faculty member could not log into the classroom computer. A pGina error spit out "An unknown error has prevented your account from being created.\n\rThis may be due to policy or security settings as well as other machine configuration.\n\rPlease consult your administrator." Remember that no user object exists in AD for this user, so there are no password policies set in this case. He is also authenticating to SunONE. When I tested his username and password on a computer running pGina but not joined to the domain, I had no problems.

What we found is that the logins didn't like the dollar sign at the end of his password. We temporarily changed his password and found it worked, and then changed it back where it had problems again. I suggested to him that he change his password permanently.

It's weirdness like this that makes technology interesting. Or difficult. Take your pick.
Posted by at
Labels: , , ,

2 comments:

  1. MeridethJanuary 22, 2010 at 5:01 PM

    I have solved this mystery, I believe. I just had it in my head that we had no limits on passwords for Active Directory, since we turned password complexity off temporarily. I didn't connect the dots until later that we still had password lengths set up to a minimum of six characters in our Domain GPO. Still, it's interesting, that the computers wouldn't accept the shorter passwords even when authenticating against our old LDAP server.

    ReplyDelete
  2. goterpsgoJanuary 10, 2011 at 7:58 PM

    I'm currently trying to use pGina on WinXP to authenticate against an OpenLDAP directory and I'm getting the exact same error you've described. I went looking through the Windows Event Logs and I found a msg under "pGina". It said part of the information contained the string "Entered WlxActivateUserShell()." Have you ever seen anything like this before?

    ReplyDelete

Subscribe to: Post Comments (Atom)