Active Directory: ADsOpenObject fails when called from a Windows Service running under Network Service account

1
votes

I have an application that can run as an EXE or as a windows service. This application, when it starts up, tries to connect to an Active Directory server and download a list of users that are members of a specified group. When I run as an EXE, this works fine, no problems. When I run as a windows service, I run under the Network Service account, and it does not work. Specifically, the following call to ADsOpenObject fails:

HRESULT hr = ADsOpenObject(ldapPath.c_str(),
        NULL,
        NULL,
        ADS_SECURE_AUTHENTICATION, 
        IID_IDirectorySearch, 
        (void**)&domainToSearch);
  • The failure code returned is 0x8007952E, which means "supplied credentials are invalid".
  • The value of ldapPath is something like this: L"LDAP://(server-ip)/DC=(server-name),DC=local"

As you can see, I am passing in NULL and NULL for the user name and password. When running as an EXE, this call will present the credentials of the logged in user. As long as that user has an account on the Active Directory server, this call will succeed. When running as a service under the Network Service account, as I understand it, this call will present the credentials of my computer. I added a computer account for my machine on the AD server, but this call still fails every time. I looked at the security event log on the server, and I can see that the logon attempts from my service are failing with the error "Unknown user or bad password", and the "Account Name" is (my computer)$. So it appears that I have not setup the computer account correctly on the AD server.

  • So my question is: What is the correct way to setup a computer account in Active Directory in order for a service running on that computer to be able to make an ADsOpenObject call without providing a user name and password?

I should also point out that my computer is logged into a different domain than the AD server I am trying to query, that is why I include the IP address in the LDAP string. Is that a problem? Again, this approach works fine from an EXE, so I assumed it would work fine from a Service.

1
c++active-directory
Is your computer on the same domain as the AD server?1201ProgramAlarm
"I added a computer account for my machine on the AD server" - Did you then join the computer to the domain? If you don't know how to check, run this in PowerShell and it should show the DNS name of the domain: (Get-WmiObject win32_computersystem).DomainGabriel Luci
No, my computer is not on the same domain as the AD server.noreastah

1 Answers

1
votes

No, my computer is not on the same domain as the AD server.

This is your issue. The computer can only authenticate to the domain using the computer account only if it is joined to the same or a trusted domain. Otherwise, the domain will have no idea who you are.

You can pass different credentials into ADsOpenObject. The username and password are the second and third parameters that you are setting to NULL.