I'm having trouble with an accounting application we use across multiple workstations. Recently, it started crashing when accessing records involved in workflow processes, specifically during vendor and batch approvals. This issue affects nearly all machines, but one seems to work fine. I checked the internal debugging logs and found that the last executed statement is a call to a function named GetUserByUser, which appears to be an LDAP lookup to Active Directory to retrieve information about users who can approve workflow steps. Using Wireshark, I noticed the LDAP query to the domain controller (DC) works differently between machines: the working one has a small query and a small response, while the non-working ones have the same small query but a huge response that's likely causing the crash. Unfortunately, all LDAP queries are encrypted, so I can't see what's being returned. I've also checked the DC event logs for more details and tried error logging by adjusting registry settings, but so far, I haven't found anything helpful. I'm wondering if there's a way to view the contents of the LDAP query result to identify the issue better.
2 Answers
Look into the event logs for 1644 events; they show you the LDAP query filter, visited entries, returned entries, and indexes used. Also, check for Event IDs 1216 or 1213 to see if there are any client issues. If possible, could you change between LDAP and LDAPS connections?
You might want to check out ADInsight. It hooks into the API calls and could help you see LDAP queries even if they’re encrypted. Just a heads up, though, it hasn’t been updated since 2015, so results could vary.
Man, I was really hoping it would work. Just confirmed it doesn't seem to function anymore.
I don’t think switching is an option since I believe it’s using the default Windows LDAP. I'll take another look at those 1644 messages. Thanks!