为什么你需要包括在＆QUOT AD服务器; userWorkstations＆QUOT;？ [英] Why do you need to include the AD server in "userWorkstations"?

问题描述

在连接Java应用程序的AD服务器，我得到了以下错误：

While connecting a Java application to an AD server, I got the below error:

javax.naming.AuthenticationException：[LDAP：错误code 49 - 80090308：LdapErr：DSID-0C0903A9，注释：AcceptSecurityContext错误，数据531，v1db1]

我的理解是错误code 531 不允许登录此工作站。

I understand that the error code 531 means not permitted to logon at this workstation​.

不过，我查了登录到属性的AD服务器上为特定的用户，并有工作站，我试图从登录的IP。

However, I checked the Log on to attribute on the AD server for that particular user and it had the IP of the workstation I was trying to login from.

我检查了以下问题，包括AD服务器的IP以及日志中在现场，我能现在登录。

I checked the below question and included the IP of the AD server as well in the log on to field and I am able to login now.

无法从Java的$与AD连接C $ç

我的问题是，为什么AD服务器或域控制器的IP /域名已经被列入这个工作？

My question is, why does the IP/name of the AD server or domain controller have to be included for this to work?

感谢

推荐答案

无论你是否有区议会添加到帐户的登录到......的限制，完全是100％依赖于将要使用的应用程序它和是否该特定的应用程序发送源的工作站名称在登录请求或者如果它仅仅发送的IP未经工作站名称。如果它发送只是IP，则源工作站字段被填充与DC的名字，这也就是为什么DC的必须被添加到登录到...的限制。这是最常见的非Windows设备/系统中遇到的，像NetScalers例如。

Whether or not you have to add DCs to an account's "Log on to..." restriction, is entirely 100% dependent on the app that will be using it and whether or not that particular app sends the source workstation name in the logon request or if it just sends the IP without a workstation name. If it sends the just the IP, then the source workstation field gets populated with the DC's name, which is why the DC's have to be added to the "Log on to..." restriction. This is most commonly encountered with non-Windows appliances/systems, like NetScalers for example.

下面是一个例子安全事件ID 4625，用于从NetScaler设备使用帐户登录尝试那些没有添加到它的区议会的登录到......账户限制的清单：

Below is an example Security event ID 4625 for a logon attempt from a netscaler appliance using an account that did not have the DCs added to it's "Log On To..." restriction's list of accounts:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/27/2014 9:22:36 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      AD01.mydomain.com
Description:
An account failed to log on.

Subject:
        Security ID:              SYSTEM
        Account Name:             AD01$
        Account Domain:           MYDOMAIN
        Logon ID:                 0x3e7

Logon Type:                       3

Account For Which Logon Failed:
        Security ID:              NULL SID
        Account Name:             netscalersvc
        Account Domain:           MYDOMAIN

Failure Information:
        Failure Reason:           User not allowed to logon at this computer.
        Status:                   0xc000006e
        Sub Status:               0xc0000070

Process Information:
        Caller Process ID:        0x260
        Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
        Workstation Name:         AD01
        Source Network Address:   192.168.5.5  <- NetScaler's IP, not AD01's IP
        Source Port:              64015

Detailed Authentication Information:
        Logon Process:            Advapi  
        Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Transited Services:       -
        Package Name (NTLM only): -
        Key Length:               0

这篇关于为什么你需要包括在＆QUOT AD服务器; userWorkstations＆QUOT;？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！