Error: 'The Directory and Resource Administrator Server cannot identify the client.' When Modifying (NETIQKB10489)

  • Document ID:7710489
  • Creation Date:02-Feb-2007
  • Modified Date:19-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

symptom
Error: 'The Directory and Resource Administrator Server cannot identify the client.' When Modifying User Account Properties

symptom

This issue occurs under a specific set of circumstances only:

  • Directory and Resource Administrator is managing a Windows 2000 Active Directory domain.
  • The DRA Web Component is installed on an IIS server that is not the DRA server in use by the Assistant Admin.
  • The Assistant Admin has been delegated the power to add computer accounts.  (A Built-in Admin does not encounter this issue.)
  • The Assistant Admin client workstation is running Windows 2000 and IE 6 or
  • The Assistant Admin is running a version of Windows older than Windows 2000 and any version of Internet Explorer.


cause

This issue is a result of how authentication works on both the client workstation and domain levels. 

When the DRA Administration server and the DRA Web Components are installed on different file servers, the authenticating request from the client workstation must first go to the IIS server.  The IIS server passes it to the DRA server, which in turn requests credentials for the user from the domain.  This is known as double-hop authentication.

The default authentication method for Windows 2000 domains is Kerberos authentication.  If Kerberos fails, the authentication request reverts to NTLM authentication.  Because NTLM authentication cannot process an double-hop authentication request, the DRA operation that made the request fails.  When adding a computer to the domain, the result is as described above.  Furthermore, when the request comes from a client workstation running anything less than Windows 2000, the results will be the same because only Windows 2000 and newer operating systems can make Kerberos requests.  Windows 9.x and Windows NT both use NTLM.

If the Assistant Admin client workstation is running Windows 2000 and IE 6 in it's default configuration, this issue also occurs.  Windows 2000 and IE5.x does not encounter this problem.



fix

To correct this situation, please make sure that the client workstations are running Windows 2000 and that the IIS server with the DRA Web Component installed is trusted for delegation.  Also, if the workstations are also running IE 6, there is a configuration setting that must be changed that is new to IE6.  Please perform the following steps to modify this setting:

  1. Launch IE.
  2. Select Internet Options from the Tools drop down menu.
  3. Click the Advanced tab.
  4. Scroll to the Security section at the bottom of the list of options.
  5. Select the Enable Integrated Windows Authentication (requires restart) option.  This option is not selected by default.
  6. Click OK and close IE.
  7. Reboot the client workstation.

After performing these steps, the Assistant Admin should be able to create a computer account successfully.



Additional Information

Formerly known as NETIQKB10489