Re: NTLM authentication

"webrod" <rodolphe.aoustin@xxxxxxxxx> wrote in message news:1167922910.784103.5320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You could also opt for a simple authentication scheme against a local identity store like
ADAM (sure this needs W2K3 or XP SP2), you could even authenticate against the NT4 DC over
NTLM using a ProxyUserObject in ADAM , but I seriously doubt this is all worth the trouble
you are not authenticating end to end anyway.

okay okay, I have done a test by mistake and I guess this is what you
are speaking about here.
My DC is NT.
I have installed ADAM, I have not added any users in ADAM (!!).
If I do this:
public static bool Logon(string pstrDomain, string pstrUser, string
pstrPassword)
{
try
{
using (DirectoryEntry objADEntry = new
DirectoryEntry("LDAP://"; + pstrDomain, pstrUser, pstrPassword))
{
return !objADEntry.NativeObject.Equals(null);
}
}
catch (System.Runtime.InteropServices.COMException)
{
return false;
}
catch (Exception)
{
throw;
}
}

and provide the pstrDomain of ADAM, it works!!
It authenticates the user against the NT DC (SAM database) using ADAM!!
That's unbelievable!
I guess I can even get the Groups associated to the user. I am doing
more tests.
I think this is the solution to my problem, don't you think??
If my customers have a NT DC, then I can install ADAM and use it to
authenticate?
I guess this wat you were saying when you said "using a ProxyUserObject
in ADAM ".


Not exactly.....

when you call this...
DirectoryEntry("LDAP://"; + pstrDomain, pstrUser, pstrPassword))
followed by... (important!)
objADAM.NativeObject.Equals(null);

you are actually binding against the server pstrDomain using pstrUser, pstrPassword as credentials for the bind (done by objADAM.NativeObject.Equals(null);).
That means that you are authenticating against the LOCAL account DB (the SAM of pstrDomain) using NTLM. But, you can't use this to authenticate domain credentials (username\domain). In order to make this work for domain credentials, you need to set-up a UserProxy object in ADAM so you can perform a bind redirection, but, and this is the BAD news , this requires an AD domain (yes, I was wrong in suggesting it would work with NT4 domain DC's).
As I said earlier, NT4 is the culprit here, add AD domain to your requirements. Make your customers understand that they need to get rid of this NT4 stuff, it's legacy and no longer supported.

Willy.

.

Relevant Pages

  • Re: ADAM - ldp bind credentials change when using machine account
    ... The directory server has failed to create the ADAM serviceConnectionPoint ... Unfortunately after about an hour he was backing to authenticating as ... in DNS is widgee.sarahsvm.local an A record? ... Kerberos errors logged on server start but from what I read on the net its ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... The DC regularly whacks any "foreign" LDAP SPNs on its computer account. ... ADAM registers them once an hour. ... The directory server has failed to create the ADAM serviceConnectionPoint ... Unfortunately after about an hour he was backing to authenticating as ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... My probability estimates are that there's a 19% chance that the ADAM LDAP ... The directory server has failed to create the ADAM ... Unfortunately after about an hour he was backing to authenticating as ... ADAM instance or a fixed service account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTLM authentication
    ... you are not authenticating end to end anyway. ... okay okay, I have done a test by mistake and I guess this is what you ... I have installed ADAM, I have not added any users in ADAM. ... I guess this wat you were saying when you said "using a ProxyUserObject ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: NTLM authentication
    ... That means that you are authenticating against the LOCAL account DB ... It belongs to a NT4 domain. ... I have used localhost because ADAM is installed on my Windows XP ... Bob is registered on the NT4 domain (SAM db), he is not a local user. ...
    (microsoft.public.dotnet.languages.csharp)