Re: ADAM
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/13/04
- Next message: Grant: "Changing FRS staging folder"
- Previous message: Zul: "Re: Short Date Format thorugh group policy"
- In reply to: Dmitri Gavrilov [MSFT]: "Re: ADAM"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 12 Feb 2004 21:53:19 -0600
Would it be possible to integrate LDAP auth against ADAM into an ISAPI
filter or some other sort of IIS extension in order to be able to generate
this? It sounds painful to me, but perhaps a solution...
Joe K.
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:OUssGPc8DHA.2432@TK2MSFTNGP10.phx.gbl...
> This has nothing to do with LDAP. SiteServer was heavily IIS oriented,
> therefore they did this special-case tweak that produces an event in IIS
> log. ADAM, a product which is not at all related to SiteServer, does not
> know about IIS, neither IIS knows about ADAM. Sorry, you are out of luck
> here.
>
> Can you modify your log analyzer program to scan security log instead?
>
>
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "donna.tidwell" <anonymous@discussions.microsoft.com> wrote in message
> news:fa8e01c3f1ae$ff34a6b0$a501280a@phx.gbl...
> > I need the logging be in the IIS log. My log analyzer
> > program can only read the IIS log. Is there any way to
> > get ADAM to generate the CS_username variable in the IIS
> > log? Do you know what generates the CS_username variable
> > in the IIS log? Site Server's LDAP services put the user
> > name in the IIS log as the CS_username variable. We are
> > using an LDAP call to ADAM I was wondering why it is not
> > sending the information to the IIS log like Site Server's
> > LDAP.
> >
> >
> > >-----Original Message-----
> > >If you need logon auditing, then ADAM can do this,
> > although it will go into
> > >Security log, not IIS log. Just enable Account Logon
> > auditing in the group
> > >policy. You will get an event like this one:
> > >
> > >Event Type: Success Audit
> > >Event Source: Security
> > >Event Category: Account Logon
> > >Event ID: 680
> > >Date: 2/11/2004
> > >Time: 4:39:03 PM
> > >User: Domain\userName
> > >Computer: ADAM_MACHINE_NAME
> > >Description:
> > >Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > > Logon account: username
> > > Source Workstation: CLIENT_MACHINE_NAME
> > > Error Code: 0x0
> > >
> > >
> > >For more information, see Help and Support Center at
> > >http://go.microsoft.com/fwlink/events.asp.
> > >
> > >
> > >
> > >
> > >For ADAM users, you will get this kind of audit:
> > >
> > >Event Type: Success Audit
> > >Event Source: Security
> > >Event Category: Account Logon
> > >Event ID: 680
> > >Date: 2/11/2004
> > >Time: 4:38:06 PM
> > >User: S-1-439939821-1707116567-3694986241-1098450955-
> > 1252665478-3949904892
> > >Computer: ADAM_MACHINE_NAME
> > >Description:
> > >Logon attempt by: ADAM_test
> > > Logon account: CN=test,O=msft,L=wa,C=us
> > > Source Workstation: -
> > > Error Code: 0x0
> > >
> > >
> > >For more information, see Help and Support Center at
> > >http://go.microsoft.com/fwlink/events.asp.
> > >
> > >
> > >
> > >--
> > >Dmitri Gavrilov
> > >SDE, Active Directory Core
> > >
> > >This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > >Use of included script samples are subject to the terms
> > specified at
> > >http://www.microsoft.com/info/cpyright.htm
> > >
> > >"Donna.tidwell" <anonymous@discussions.microsoft.com>
> > wrote in message
> > >news:ea8601c3f0e7$d1d625d0$a001280a@phx.gbl...
> > >> The IIS website uses an LDAP call to the ADAM server.
> > In
> > >> the past we used Site Server LDAP to authenticate. The
> > >> Site Server LDAP call logged to the IIS Log. We were
> > >> wondering if the LDAP call to ADAM could do the same
> > >> thing, so we can track authenticated users in our
> > >> reporting tool. Any ideas?
> > >>
> > >>
> > >> >-----Original Message-----
> > >> >You can not use ADAM for IIS authentication, at least
> > not
> > >> directly. ADAM
> > >> >users can not be impersonated by IIS threads (because
> > >> they are not windows
> > >> >security principals), and thus, IIS can not log them in
> > >> its logs. How
> > >> >exactly do you use ADAM to do authentication?
> > >> >
> > >> >That said, we are working on a proper solution to use
> > >> ADAM for IIS
> > >> >authentication. Not quite there yet.
> > >> >
> > >> >--
> > >> >Dmitri Gavrilov
> > >> >SDE, Active Directory Core
> > >> >
> > >> >This posting is provided "AS IS" with no warranties,
> > and
> > >> confers no rights.
> > >> >Use of included script samples are subject to the terms
> > >> specified at
> > >> >http://www.microsoft.com/info/cpyright.htm
> > >> >
> > >> >"basin" <donna.tidwell@ipaper.com> wrote in message
> > >> >news:ed4a01c3f0c4$ce641e70$a601280a@phx.gbl...
> > >> >> Our web reports have never had any trouble logging
> > and
> > >> >> reporting on authenticated users when we use nt
> > >> >> authentication, site server authentication, etc.
> > >> >> We moved to ADAM, which requires no special setup in
> > >> IIS,
> > >> >> and now we cannot track authenticated users in our
> > iis
> > >> log
> > >> >> files.
> > >> >> How can we get ADAM to log user info to iis logs??
> > >> >> Thanks for any help!
> > >> >
> > >> >
> > >> >.
> > >> >
> > >
> > >
> > >.
> > >
>
>
- Next message: Grant: "Changing FRS staging folder"
- Previous message: Zul: "Re: Short Date Format thorugh group policy"
- In reply to: Dmitri Gavrilov [MSFT]: "Re: ADAM"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
