Re: Random logon failure with ADAM Bind Proxy

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 06/09/04 

Date: Wed, 9 Jun 2004 16:01:48 -0600

There was a similar problem discussed here a while ago, see "ADAM user
object limitations" thread. Are you adding new users to Readers group? This
is getting tricky when the group membership grows past 1500 members.
No_such_object usually means you could not read the object due to
insufficient permissions.

Username should not be case sensitive. If you can verify that you can bind
with CN=aaa,DC=com, but not with CN=AAA,DC=com, please let us know. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Seetha" <seethaj@yahoo.com> wrote in message
news:uCdg3mmTEHA.2408@tk2msftngp13.phx.gbl...
I have an isolated test environment with two servers -AD domain controller
and Windows 2003 server with ADAM on it. ADAM is used as a store for user
profiles and AD stores just the username/password and is solely used for
authentication.
I have been using ADAM bind proxy to authenticate  users against AD. I have
two questions relate to this setup.
a.ADAM bindproxy authentication was working fine. But suddenly this has been
creating random authentication errors with 'There is no object in the
server' during bind. The main problem is that authentication does not fail
consistently , it fails for few minutes, if I come back and test after an
hour it works, and fails after some time. The one thing that changed is that
we have been running a job that migrates ~350K users to AD and ADAM.
If I authenticate directly against AD , authentication works consistently.
Not sure if adding too many users (all added to Readers role individually)
is having an effect on Bind proxy.  Any ideas?
Here is a code that I use to authenticate using ADAM bind proxy
----------------------------------------------------------------------------
-----------------
  public bool adamAuthenticate(string username, string password)
  {
     userDN = "LDAP://" + m_adamServer+ "/" + "CN=" + username + "," +
this.m_adamUsersContainerPath;
     userLoginName = "CN=" + username +  ", " +
this.m_adamUsersContainerPath;
     entry = new DirectoryEntry( userDN, userLoginName, password,
AuthenticationTypes.None);
     try
     {
      // Bind to the native AdsObject to force authentication.
      Object obj = entry.NativeObject;
     }
     catch(System.Exception ex)
     {}
----------------------------------------------------------------------------
-----------------
  The following that authenticates against AD works
----------------------------------------------------------------------------
-----------------
 public bool ADAuthenticate(string username, string password)
{
       userDN =  "LDAP://" + this.m_adServer+ "/" + "CN=" + username + "," +
this.m_adUsersContainerPath;
       DirectoryEntry user = new DirectoryEntry(userDN,
this.m_adAdminUsername, this.m_adAdminPassword);
     try
     {
      // get the logon name from Active Directory
      userLoginName = (String) user.Properties["samAccountName"].Value;
      // use the logon name and the password entered by user against active
directory to bind
      DirectoryEntry entryAD = new DirectoryEntry( userDN, userLoginName,
password, AuthenticationTypes.Secure|AuthenticationTypes.ServerBind);
      Object obj = entryAD.NativeObject;
     }
     catch(Exception ex)
     {   }
b. Through adamAuthenticate() , username seems to be case sensitive and the
auth fails if I dont pass in the username that does not match the CN exactly
with the case. Is there some setting that can be changed to avoid this?
Thanks
Seetha

Relevant Pages

  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... You won't be able to do a proxy bind if you don't have the ... This will work only if ADAM ... >>> being authenticated (as in windows authentication or ... >> of the bind proxy object in the ADAM naming context and the Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... to the Readers role for an ADAM NC and it worked fine for binding ADAM ... In this thread the original poster is using bind proxies so it might be ... Readers role, he could add the Users role to the Readers role which would ... > Could he also just bind to RootDSE in order to force an authentication? ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... could benefit from bind redirect/User Proxy Object ... The store for Azman will also be an ADAM. ... > They have there own SSO solution thats similar to forms authentication. ...
    (microsoft.public.windows.server.active_directory)