Active Directory on Konica Minolta C353

**jayg30** · 09-16-2014

Hello. I've been struggling to get external server authentication working on this machine and simply can't get it. I've read various threads (like this ONE) and have checked a bunch of settings. All seems to be correct. I think perhaps I might just be misunderstanding the "Konica Minolta" terminology for some of the fields though.

AD domain Name: "internal.company.com"
Pre-Windows 2000 (NetBIOS) Domain Name: "internal"
Realm: "internal.company.com"
Server hostname: "vdc01"
IP address of ADDC (vdc01): 192.168.0.5

In the Networking tab I have setup a static IP.Primary DNS is set to the Active Directory server which also runs the DNS. DNS Default Domain Name is set to the active directory domain name. Not sure if that is correct. Also have no clue what if anything I would need to put in the Search Domain Name entries.

networkingdns.jpg

I've read some comments about SMB settings, but I already had those set.

smb.PNG

So then you have the External Server registration. I'm not really sure about this.
The documentation I read seems to imply that the "External Server Name" is just a friendly name given for the entry and not anything important. I don't know if the default domain name is the DNS name of the AD Server (hostname). Or is it the FQDN (vdc01.internal.company.com). Or is it just the domain name (internal.company.com) which I already entered in the networking section.

externalserver.PNG

I've tried a bunch of settings and can't seem to authenticate with my username and login details. The Active Directory is working fine for all the computers on the network. I even connect to it through other tools (like monitoring software). I was able to authenticate through LDAP as an external server but the login actually required me to type "username@internal". I also have LDAP setup (with a login and search base) for address book purposes.

I'm really stumped why I can't get this to work.

**jayg30** · 09-17-2014

So NTLMv2 looks like it works. Everything the same as posted above expect for the external server I had to put;
vdc01.internal.company.com

Still won't work if set to active directory though and I have no idea why. I also suspect that NTLMv2 won't provide some of the things that using AD will, so would still be interested in getting that working correctly.

**jayg30** · 09-17-2014

I did a tcpdump and opened it up with wireshark. The first dump using AD domain name as "vdc01.internal.company.com" didn't look right at all. Did a second dump using "internal.company.com" and it looks like it is connecting to the server, binding to LDAP, getting Kerberos, and so on. However at the end there is;

Summary

Code:

55    0.049609    192.168.0.5    192.168.0.240    LDAP    124    bindResponse(3) invalidCredentials (SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE)

Details

Code:

LDAPMessage bindResponse(3) invalidCredentials (SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE)
    messageID: 3
    protocolOp: bindResponse (1) 
           bindResponse
              resultCode: invalidCredentials (49)
              matchedDN: 
              errorMessage: SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE
              serverSaslCreds: <MISSING>

I know the credentials I'm using are good (I use them to login to all servers/desktop in the domain). I'm not an expert with wireshark and haven't used it to inspect packets in many years. If anyone out there thinks they can point me in the right direction that would be great. I can send the tcpdump if necessary.

Thanks

**slimslob** · 09-17-2014

Have you tried turning On "DNS Domain Auto Obtain" in "DNS Domain Name Setting" and "DNS Server Setting"? If for no reason other than to see if it returns any different information than what you have entered manually. Same can be said for obtaining IP Address from DHCP

**emujo** · 09-17-2014

Somewhat related...AD will not work if time is off by even a small amount. Try turning time server on and use their NTP server to get the server/MFP times synched. Search base would not be required using AD, only the correct domain settings. Emujo

**jayg30** · 09-18-2014

Originally Posted by slimslob

Have you tried turning On "DNS Domain Auto Obtain" in "DNS Domain Name Setting" and "DNS Server Setting"? If for no reason other than to see if it returns any different information than what you have entered manually. Same can be said for obtaining IP Address from DHCP

I have turned on auto obtain in the past, however I'm not exactly sure how to tell what it obtains because I don't see it displayed anywhere. However I control and setup the entire network so I do have a strong knowledge of how everything is configured. I'm positive it isn't gettiing the right value when set to auto obtain because I don't believe I ever set the network up to distribute domain info automatically. I assume it would attempt to obtain it from a DHCP server. Also since I have the printer setup with a static ip, things like auto obtain are probably not going to work.

I'm pretty sure I have the domain name settings correct because of ping tests I've done. If I don't set it and ping a domain resource by just hostname (server1) it fails and you have to define the fqdn (server1.internal.company.com) to get a response. However with the domain (internal.company.com) entered you can then ping by just hostname (server1). And the DNS server gas to be set right or that wouldn't work, plus its the only dns server right now and I set it up so not much of an option really (I push the same info via DHCP).

After seeing the packet info I'm thinking it's something on the AD server. Something being sent by the printer not being handled by the AD server correctly. I'm going to reach out on that end for some help also.

**jayg30** · 09-18-2014

Originally Posted by emujo

Somewhat related...AD will not work if time is off by even a small amount. Try turning time server on and use their NTP server to get the server/MFP times synched. Search base would not be required using AD, only the correct domain settings. Emujo

Yep aware of that also and checked. The time on the printer is set to sync with the NTP server which is also installed on the AD server (192.168.0.5). Time seemed to be synced without issue. I also setup the NTP server so did check that.