OOB and AD user authentication
I setup Out of Band Management in SCCM 2007 R3 and everything was awesome. I could do the whole remote KVM thing and everything was working brilliantly. Now the problem is I had to disable everything and delete the AD objects very quickly because it was causing authentication issues with other AD integrated system. In our environment we have the computer names the same as the username of the person logging onto the PC. This is where the problem arises. When a user logs onto the other system the LDAP query on this system gets the AMT account instead of the user account due to the AMT account having the same object category as a user. This even prevented the one person testing the KVM feature from connecting to his own machine since it had been provisioned. We figured out that it was the AMT object causing the probem by deleting one of the object and testing the other systems again and they worked again instantly after the AMT object was deleted. I am wondering if anyone had or has a similar situation and knows how to work around this problem? I can't really do any testing of this currently as I had to do a quick disable and removal to keep our users working. I really want to get this working again because after trying it out and seeing how awesome it works I don't want to not be able to use it. Thanks for any suggestions or help.
April 16th, 2012 6:57am
In our environment we have the computer names the same as the username of the person logging onto the PC. This is where the problem arises. Hi, this is exactly correct. This scenario is your cause, and the solution is don't do that. rename all your computers, or rename all your users. (i know it's easily said and not so easily done, but, there you have it) not all applications/services are written to comprehend that what you have implemented is permitted/legitimate. (even if very confusing to somebody unfamiliar with such a convention) many years ago (when LANManager and NETBIOS ruled the LANd), this was a scenario explicitly discouraged, for similar reasons. http://support.microsoft.com/kb/310845 there are probably various documents around that will state that is is both allowed, and also not allowed. even if you find a solution for the current challenge for OOB, there will be some other application/service waiting to torture you with this limitation down the road ahead. my suggestion is that you deal with it now, rather than have the issue return sometime later. Don
April 18th, 2012 7:27am