Re: Random logon failure with ADAM Bind Proxy

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/10/04 

Date: Wed, 9 Jun 2004 23:39:48 -0500

Could he also just bind to RootDSE in order to force an authentication?
That way, he doesn't need to worry about permssions as everyone can read
RootDSE.

Also, does it work to add Authenticated Users SID to the Readers role so
that he doesn't need to add all his users individually?

Joe K.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:%23n7Zd1mTEHA.3596@tk2msftngp13.phx.gbl...
> There was a similar problem discussed here a while ago, see "ADAM user
> object limitations" thread. Are you adding new users to Readers group?
This
> is getting tricky when the group membership grows past 1500 members.
> No_such_object usually means you could not read the object due to
> insufficient permissions.
>
> Username should not be case sensitive. If you can verify that you can bind
> with CN=aaa,DC=com, but not with CN=AAA,DC=com, please let us know.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Seetha" <seethaj@yahoo.com> wrote in message
> news:uCdg3mmTEHA.2408@tk2msftngp13.phx.gbl...
> I have an isolated test environment with two servers -AD domain controller
> and Windows 2003 server with ADAM on it. ADAM is used as a store for user
> profiles and AD stores just the username/password and is solely used for
> authentication.
>
>
> I have been using ADAM bind proxy to authenticate users against AD. I
have
> two questions relate to this setup.
>
>
> a.ADAM bindproxy authentication was working fine. But suddenly this has
been
> creating random authentication errors with 'There is no object in the
> server' during bind. The main problem is that authentication does not fail
> consistently , it fails for few minutes, if I come back and test after an
> hour it works, and fails after some time. The one thing that changed is
that
> we have been running a job that migrates ~350K users to AD and ADAM.
>
> If I authenticate directly against AD , authentication works consistently.
> Not sure if adding too many users (all added to Readers role individually)
> is having an effect on Bind proxy. Any ideas?
>
> Here is a code that I use to authenticate using ADAM bind proxy
> -------------------------------------------------------------------------- 

--
> -----------------
>   public bool adamAuthenticate(string username, string password)
>   {
>      userDN = "LDAP://" + m_adamServer+ "/" + "CN=" + username + "," +
> this.m_adamUsersContainerPath;
>      userLoginName = "CN=" + username +  ", " +
> this.m_adamUsersContainerPath;
>
>      entry = new DirectoryEntry( userDN, userLoginName, password,
> AuthenticationTypes.None);
>      try
>      {
>       // Bind to the native AdsObject to force authentication.
>       Object obj = entry.NativeObject;
>      }
>      catch(System.Exception ex)
>      {}
>
> --------------------------------------------------------------------------
--
> -----------------
>
>   The following that authenticates against AD works
>
> --------------------------------------------------------------------------
--
> -----------------
>
>  public bool ADAuthenticate(string username, string password)
> {
>        userDN =  "LDAP://" + this.m_adServer+ "/" + "CN=" + username + ","
+
> this.m_adUsersContainerPath;
>        DirectoryEntry user = new DirectoryEntry(userDN,
> this.m_adAdminUsername, this.m_adAdminPassword);
>
>      try
>      {
>       // get the logon name from Active Directory
>       userLoginName = (String) user.Properties["samAccountName"].Value;
>
>       // use the logon name and the password entered by user against
active
> directory to bind
>       DirectoryEntry entryAD = new DirectoryEntry( userDN, userLoginName,
> password, AuthenticationTypes.Secure|AuthenticationTypes.ServerBind);
>       Object obj = entryAD.NativeObject;
>      }
>      catch(Exception ex)
>      {   }
>
>
>
> b. Through adamAuthenticate() , username seems to be case sensitive and
the
> auth fails if I dont pass in the username that does not match the CN
exactly
> with the case. Is there some setting that can be changed to avoid this?
>
> Thanks
> Seetha
>
>

Relevant Pages

  • Re: Random logon failure with ADAM Bind Proxy
    ... There was a similar problem discussed here a while ago, see "ADAM user ... I have been using ADAM bind proxy to authenticate users against AD. ... a.ADAM bindproxy authentication was working fine. ... DirectoryEntry user = new DirectoryEntry(userDN, ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... could benefit from bind redirect/User Proxy Object ... The store for Azman will also be an ADAM. ... > They have there own SSO solution thats similar to forms authentication. ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP Authentication for Single Sign On
    ... So no authentication is required when performing bind operations only ... If I do find that I have to create a service account can you steer me ... If the client doesn't support anything other than a simple ... That isn't really necessarily part of the authentication though. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)