Re: ADAM

From: donna.tidwell (anonymous_at_discussions.microsoft.com)
Date: 02/12/04 

Date: Thu, 12 Feb 2004 13:27:20 -0800

I need the logging be in the IIS log. My log analyzer
program can only read the IIS log. Is there any way to
get ADAM to generate the CS_username variable in the IIS
log? Do you know what generates the CS_username variable
in the IIS log? Site Server's LDAP services put the user
name in the IIS log as the CS_username variable. We are
using an LDAP call to ADAM I was wondering why it is not
sending the information to the IIS log like Site Server's
LDAP.

>-----Original Message-----
>If you need logon auditing, then ADAM can do this,
although it will go into
>Security log, not IIS log. Just enable Account Logon
auditing in the group
>policy. You will get an event like this one:
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 680
>Date: 2/11/2004
>Time: 4:39:03 PM
>User: Domain\userName
>Computer: ADAM_MACHINE_NAME
>Description:
>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: username
> Source Workstation: CLIENT_MACHINE_NAME
> Error Code: 0x0
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>
>
>
>For ADAM users, you will get this kind of audit:
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 680
>Date: 2/11/2004
>Time: 4:38:06 PM
>User: S-1-439939821-1707116567-3694986241-1098450955-
1252665478-3949904892
>Computer: ADAM_MACHINE_NAME
>Description:
>Logon attempt by: ADAM_test
> Logon account: CN=test,O=msft,L=wa,C=us
> Source Workstation: -
> Error Code: 0x0
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>
>
>--
>Dmitri Gavrilov
>SDE, Active Directory Core
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>Use of included script samples are subject to the terms
specified at
>http://www.microsoft.com/info/cpyright.htm
>
>"Donna.tidwell" <anonymous@discussions.microsoft.com>
wrote in message
>news:ea8601c3f0e7$d1d625d0$a001280a@phx.gbl...
>> The IIS website uses an LDAP call to the ADAM server.
In
>> the past we used Site Server LDAP to authenticate. The
>> Site Server LDAP call logged to the IIS Log. We were
>> wondering if the LDAP call to ADAM could do the same
>> thing, so we can track authenticated users in our
>> reporting tool. Any ideas?
>>
>>
>> >-----Original Message-----
>> >You can not use ADAM for IIS authentication, at least
not
>> directly. ADAM
>> >users can not be impersonated by IIS threads (because
>> they are not windows
>> >security principals), and thus, IIS can not log them in
>> its logs. How
>> >exactly do you use ADAM to do authentication?
>> >
>> >That said, we are working on a proper solution to use
>> ADAM for IIS
>> >authentication. Not quite there yet.
>> >
>> >--
>> >Dmitri Gavrilov
>> >SDE, Active Directory Core
>> >
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >Use of included script samples are subject to the terms
>> specified at
>> >http://www.microsoft.com/info/cpyright.htm
>> >
>> >"basin" <donna.tidwell@ipaper.com> wrote in message
>> >news:ed4a01c3f0c4$ce641e70$a601280a@phx.gbl...
>> >> Our web reports have never had any trouble logging
and
>> >> reporting on authenticated users when we use nt
>> >> authentication, site server authentication, etc.
>> >> We moved to ADAM, which requires no special setup in
>> IIS,
>> >> and now we cannot track authenticated users in our
iis
>> log
>> >> files.
>> >> How can we get ADAM to log user info to iis logs??
>> >> Thanks for any help!
>> >
>> >
>> >.
>> >
>
>
>.
>