Re: Random logon failure with ADAM Bind Proxy

From: Lee Flight (lef_at_le.ac.uk-nospam)
Date: 06/10/04

• Next message: Chriss3: "Re: Workstation not reflect in the active directory"
• Previous message: Simon Geary: "Re: Workstation not reflect in the active directory"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 10 Jun 2004 12:06:56 +0100

Joe

following your suggestion on the "ADAM Principal binds" thread in the
active.directory.interfaces group I tried adding the WKSID for Authenticated
Users
to the Readers role for an ADAM NC and it worked fine for binding ADAM
Principals to
that NC.

Binding to rootDSE seemed to work fine with no change to any default.

In this thread the original poster is using bind proxies so it might be
worth noting that
more fine grained access control is possible than just adding Authenticated
Users to the
Readers role, he could add the Users role to the Readers role which would
allow access
to the ADAM NC for bind proxies but not for the corresponding Windows
Principal.
This might give a more role-based feel to the configuration. Assuming, of
course, that
the application actually needs to use bind proxies rather than windows
principals?

Lee Flight

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:erkj3TqTEHA.1508@TK2MSFTNGP11.phx.gbl...
> Could he also just bind to RootDSE in order to force an authentication?
> That way, he doesn't need to worry about permssions as everyone can read
> RootDSE.
>
> Also, does it work to add Authenticated Users SID to the Readers role so
> that he doesn't need to add all his users individually?
>
> Joe K.
>
> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
> news:%23n7Zd1mTEHA.3596@tk2msftngp13.phx.gbl...
> > There was a similar problem discussed here a while ago, see "ADAM user
> > object limitations" thread. Are you adding new users to Readers group?
> This
> > is getting tricky when the group membership grows past 1500 members.
> > No_such_object usually means you could not read the object due to
> > insufficient permissions.
> >
> > Username should not be case sensitive. If you can verify that you can
bind
> > with CN=aaa,DC=com, but not with CN=AAA,DC=com, please let us know.
> >
> > --
> > Dmitri Gavrilov
> > SDE, Active Directory Core
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> > "Seetha" <seethaj@yahoo.com> wrote in message
> > news:uCdg3mmTEHA.2408@tk2msftngp13.phx.gbl...
> > I have an isolated test environment with two servers -AD domain
controller
> > and Windows 2003 server with ADAM on it. ADAM is used as a store for
user
> > profiles and AD stores just the username/password and is solely used for
> > authentication.
> >
> >
> > I have been using ADAM bind proxy to authenticate users against AD. I
> have
> > two questions relate to this setup.
> >
> >
> > a.ADAM bindproxy authentication was working fine. But suddenly this has
> been
> > creating random authentication errors with 'There is no object in the
> > server' during bind. The main problem is that authentication does not
fail
> > consistently , it fails for few minutes, if I come back and test after
an
> > hour it works, and fails after some time. The one thing that changed is
> that
> > we have been running a job that migrates ~350K users to AD and ADAM.
> >
> > If I authenticate directly against AD , authentication works
consistently.
> > Not sure if adding too many users (all added to Readers role
individually)
> > is having an effect on Bind proxy. Any ideas?
> >
> > Here is a code that I use to authenticate using ADAM bind proxy
>
> --------------------------------------------------------------------------
> --
> > -----------------
> > public bool adamAuthenticate(string username, string password)
> > {
> > userDN = "LDAP://" + m_adamServer+ "/" + "CN=" + username + "," +
> > this.m_adamUsersContainerPath;
> > userLoginName = "CN=" + username + ", " +
> > this.m_adamUsersContainerPath;
> >
> > entry = new DirectoryEntry( userDN, userLoginName, password,
> > AuthenticationTypes.None);
> > try
> > {
> > // Bind to the native AdsObject to force authentication.
> > Object obj = entry.NativeObject;
> > }
> > catch(System.Exception ex)
> > {}
> >
>
> --------------------------------------------------------------------------
> --
> > -----------------
> >
> > The following that authenticates against AD works
> >
>
> --------------------------------------------------------------------------
> --
> > -----------------
> >
> > public bool ADAuthenticate(string username, string password)
> > {
> > userDN = "LDAP://" + this.m_adServer+ "/" + "CN=" + username +
","
> +
> > this.m_adUsersContainerPath;
> > DirectoryEntry user = new DirectoryEntry(userDN,
> > this.m_adAdminUsername, this.m_adAdminPassword);
> >
> > try
> > {
> > // get the logon name from Active Directory
> > userLoginName = (String) user.Properties["samAccountName"].Value;
> >
> > // use the logon name and the password entered by user against
> active
> > directory to bind
> > DirectoryEntry entryAD = new DirectoryEntry( userDN,
userLoginName,
> > password, AuthenticationTypes.Secure|AuthenticationTypes.ServerBind);
> > Object obj = entryAD.NativeObject;
> > }
> > catch(Exception ex)
> > { }
> >
> >
> >
> > b. Through adamAuthenticate() , username seems to be case sensitive and
> the
> > auth fails if I dont pass in the username that does not match the CN
> exactly
> > with the case. Is there some setting that can be changed to avoid this?
> >
> > Thanks
> > Seetha
> >
> >
>
>

---

• Next message: Chriss3: "Re: Workstation not reflect in the active directory"
• Previous message: Simon Geary: "Re: Workstation not reflect in the active directory"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Random logon failure with ADAM Bind Proxy"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Query AD from DMZ via LDAP? ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ... (microsoft.public.windows.server.active_directory) Re: adam bind-redirect ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ... (microsoft.public.windows.server.active_directory) Re: Random logon failure with ADAM Bind Proxy ... There was a similar problem discussed here a while ago, see "ADAM user ... I have been using ADAM bind proxy to authenticate users against AD. ... a.ADAM bindproxy authentication was working fine. ... DirectoryEntry user = new DirectoryEntry(userDN, ... (microsoft.public.windows.server.active_directory) Re: adam bind-redirect ... You won't be able to do a proxy bind if you don't have the ... This will work only if ADAM ... >>> being authenticated (as in windows authentication or ... >> of the bind proxy object in the ADAM naming context and the Windows ... (microsoft.public.windows.server.active_directory) Re: adam bind-redirect ... could benefit from bind redirect/User Proxy Object ... The store for Azman will also be an ADAM. ... > They have there own SSO solution thats similar to forms authentication. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2004-06