CFNTauthenticate and PDC emulator

Environment: ColdFusion 6 and 7 running on Windows 2003  Servers Active Directory Domain running in Native Mode on Windows 2003 Servers I recently had a problem where CFNTauthenticate on ColdFusion 7 stopped working. All attempts to authenticate were failing with the error of "UserNotInDir" failure if thrownonerror was set to false.  If throwonerror was set to true, then I got the message that : "Could not find domain controller for this domain <domainname.>" Additionally, similar results were experienced by ColdFusion 6 servers using the ntauth class for domain authentication. At the same time this occurred one of our domain controllers was down due to a switch failure.  However we have many redundant domain controllers spread over three sites, including one in the same rack as our CF servers. No other services (Exchange, Machine Logins, etc) were impacted. Upon further inspection, it was determined that one of the dc's that was down was playing the Active Directory FSMO role of PDC emulator. Further testing shows that we cannot get authentication to work if a ColdFusion machine is unable to contact the PDC emulator regardless of the state of the rest of the domain. In order to work around this, I'm developing a alternative authentication piece that uses LDAP authentication against the domain, and can switch between domain controllers if one is down.  I can do it, and make it pretty robust, but I'm worried though that I may be over thinking this.   Has anyone else experienced this?  If you have, short of getting the PDC emulator back online, is there a way around this.  Any other opinions or feedback would be welcome. Terrence Ryan Senior Systems Programmer Wharton Computing and Information Technology       E-mail:         tpryan@wharton.upenn.edu

I don't think you are overthinking it.  I build a ldap CFC that will test a list of DCs until it finds one that is responding to ldap requests. You have a pretty-detailed post, so I may be stating the obvious.  Did you restart your CF services yet? M!ke Environment: ColdFusion 6 and 7 running on Windows 2003  Servers Active Directory Domain running in Native Mode on Windows 2003 Servers I recently had a problem where CFNTauthenticate on ColdFusion 7 stopped working. All attempts to authenticate were failing with the error of "UserNotInDir" failure if thrownonerror was set to false.  If throwonerror was set to true, then I got the message that : "Could not find domain controller for this domain <domainname.>" Additionally, similar results were experienced by ColdFusion 6 servers using the ntauth class for domain authentication. At the same time this occurred one of our domain controllers was down due to a switch failure.  However we have many redundant domain controllers spread over three sites, including one in the same rack as our CF servers. No other services (Exchange, Machine Logins, etc) were impacted. Upon further inspection, it was determined that one of the dc's that was down was playing the Active Directory FSMO role of PDC emulator. Further testing shows that we cannot get authentication to work if a ColdFusion machine is unable to contact the PDC emulator regardless of the state of the rest of the domain. In order to work around this, I'm developing a alternative authentication piece that uses LDAP authentication against the domain, and can switch between domain controllers if one is down.  I can do it, and make it pretty robust, but I'm worried though that I may be over thinking this.   Has anyone else experienced this?  If you have, short of getting the PDC emulator back online, is there a way around this.  Any other opinions or feedback would be welcome. Terrence Ryan Senior Systems Programmer Wharton Computing and Information Technology       E-mail:         tpryan@wharton.upenn.edu

I left that out, but yes, to no avail. I'm wondering if there is a good reason to use CFNTauthenticate at all if it is so fragile.   Terrence Ryan Senior Systems Programmer Wharton Computing and Information Technology    E-mail:    tpryan@wharton.upenn.edu I don't think you are overthinking it.  I build a ldap CFC that will test a list of DCs until it finds one that is responding to ldap requests. You have a pretty-detailed post, so I may be stating the obvious.  Did you restart your CF services yet? M!ke Environment: ColdFusion 6 and 7 running on Windows 2003  Servers Active Directory Domain running in Native Mode on Windows 2003 Servers I recently had a problem where CFNTauthenticate on ColdFusion 7 stopped working. All attempts to authenticate were failing with the error of "UserNotInDir" failure if thrownonerror was set to false.  If throwonerror was set to true, then I got the message that : "Could not find domain controller for this domain <domainname.>" Additionally, similar results were experienced by ColdFusion 6 servers using the ntauth class for domain authentication. At the same time this occurred one of our domain controllers was down due to a switch failure.  However we have many redundant domain controllers spread over three sites, including one in the same rack as our CF servers. No other services (Exchange, Machine Logins, etc) were impacted. Upon further inspection, it was determined that one of the dc's that was down was playing the Active Directory FSMO role of PDC emulator. Further testing shows that we cannot get authentication to work if a ColdFusion machine is unable to contact the PDC emulator regardless of the state of the rest of the domain. In order to work around this, I'm developing a alternative authentication piece that uses LDAP authentication against the domain, and can switch between domain controllers if one is down.  I can do it, and make it pretty robust, but I'm worried though that I may be over thinking this.   Has anyone else experienced this?  If you have, short of getting the PDC emulator back online, is there a way around this.  Any other opinions or feedback would be welcome. Terrence Ryan Senior Systems Programmer Wharton Computing and Information Technology       E-mail:         tpryan@wharton.upenn.edu