I am using IADS::Get() method to retrieve "ntSecurityDescriptor" from IADS interface.
Code Snippet:
HRESULT hr = S_OK;
IADs* pADs = NULL;
BSTR attrName = SysAllocString(L"ntSecurityDescriptor");
VARIANT svar;
VariantInit(&svar);
hr = ADsOpenObject(dn, user, pass, ADS_SECURE_AUTHENTICATION, IID_IADs, (void**)&pADs);
if (!SUCCEEDED(hr)) {
cout << "ADsOpenObject Failed:" << hex << hr << endl;
goto Cleanup;
}
hr = pADs->Get(attrName, &svar);
if (!SUCCEEDED(hr)) {
cout << "Get Failed:" << hex << hr << endl;
goto Cleanup;
}
Here, I didn't receive any error codes, but the Event Number 4625 is thrown in event viewer.
To verify which function causes the issue, I set some breakpoints and wait for each function to finish and checked the Event Viewer for event, and I found that ADsOpenObject() worked fine and it bound with the LDAP path, username and password provided. But after the execution of IADS::Get() function, the event number 4625 is thrown in Event Viewer. From analyzing the Event Viewer, I found that while calling the function IADS::Get(), it is using the System's logged in account credentials to fetch data instead of the credentials that is bound to the IADS object, this causes the error.
Event Details:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: test
Account Domain: testDomain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: testMachine
Source Network Address: x.x.x.x
Source Port: x
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Here, the account name used is the local account, but I bound the IADS object with different username and domain, and it is not being used in IADS::Get(). How to fix this issue? How to configure IADS to make it use the credentials provided in ADsOpenObject() method?