Re: NTLM authentication

"Mark Rae" <mark@xxxxxxxxxxxxxxxxx> wrote in message news:%23X$f4t$LHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message news:ei65ff$LHHA.3952@xxxxxxxxxxxxxxxxxxxxxxx

Won't work, the OP is in a Windows NT4 domain not an ActiveDirectory domain, there is no LDAP server on the DC.

My mistake - apologies for not reading the OP closely enough...


Well, this is quite confusing, the OP should have been more explicit in it's original posting.

Also, using above (DirectoryServices aka. ActiveDirectory) to authenticate a windows user is bad practice, I keep saying this.

Why? What would you recommend instead...?

Well, it depends on so many things, like the OS versions, Domain versions (if any) client types (windows non windows) and the final purpose of the authentication act.
Some alternatives are :
call Win32 LogonUser(), but while this validate a Windows user, it's purpose is to return an access token.
use the SSPI set of security API's, these can be used to authenticate using different protocols even for non Windows users. Unfortunately the V2 framework classes don't expose all of their functionalities. V3 does a far better job, but here they relate more to the WCF, than for generic authentication purposes.
On A W2K/W2K3 realm, you can use LDAP to authenticate against an AD domain, note here I'm talking about LDAP, that is using System.DirectoryServices.protocol classes!!! The same remark here as above, some network manager will not allow you to authenticate using LDAP against a corporate Directory.


Anyway, using DirectoryServices just for authentication is not the right way of doing, just watch the amount of data passed when binding to the AD when doing so and you will understand why (but there is more). The Directory is kind of a DB which can store a lot of objects, authentication is part of the "authorization" process, that is, before you can access the objects stored in the directory, you have to prove "who you are" so that the DirectoryService can perform authorization controls. So basically it's the start of a longer transaction, but if you only perform the authentication step, you are needlessly hitting the service. It's funny that people never authenticate against, let's say against a SQL server, but find is quite usual to do it against a Directory server.

Willy.



.

Relevant Pages

  • Re: [opensuse] LDAP served network
    ... One LDAP server and one LDAP client. ... I use pam to configure the various services to perform ... an ldap authentication. ...
    (SuSE)
  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
  • Re: [opensuse] LDAP served network
    ... One LDAP server and one LDAP client. ... Server_1 is file a group file server with several shares with common ... I think so, I've all my server performing an ssh ldap authentication, ... I use pam to configure the various services to perform ...
    (SuSE)
  • Re: Directory Services, LDAP or similar
    ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
    (borland.public.delphi.non-technical)
  • LDAP Weirdness (Solaris 9)
    ... I'm having a very odd problem with LDAP authentication on a Solaris 9 ... The LDAP server is running OpenLDAP with a self-signed ... that you would expect for an account that doesn't exist. ...
    (comp.unix.solaris)