Re: ADAM Bind Redirection question
From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 07/30/04
- Next message: 1st timer on AD 2003: "New 2003 AD server"
- Previous message: AdminKen: "Re: ADC not working - E5.5 to E2K3 migration"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ADAM Bind Redirection question"
- Next in thread: Seow: "Re: ADAM Bind Redirection question"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 30 Jul 2004 15:40:30 -0700
ADAM relies on windows auth mechanisms, it does not keep an ldap connection
to AD. That's the reason why we require that ADAM machine is joined to a
Windows domain in order to enable proxy binds.
Doing it over LDAP is more flexible because you could authenticate proxies
from different forests, and (potentially) from non-windows domains that
support ldap. Although it is unclear where the token will come from.
But the LDAP way is more complex to implement too. We have to cache LDAP
connection(s), perhaps manage creds to connect to the server, invent a more
generic lookup mechanism (mapping proxy to an LDAP user), etc. Maybe we will
do this in the next release. There should be enough demand for this though.
-- Dmitri Gavrilov SDE, Active Directory Core This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:#v#pBjndEHA.3148@TK2MSFTNGP10.phx.gbl... > Is that how it works? For some reason I assumed that ADAM actually tried to > do an LDAP bind to its DC using the credentials supplied. It didn't occur > to me that you just call LogonUser. > > Thanks for the clarification. > > Joe K. > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message > news:%2362qFgldEHA.3528@TK2MSFTNGP12.phx.gbl... > > I think the question was what mechanism is used to authenticate the proxy, > > i.e. how ADAM talks to AD when it gets a proxy auth request. > > > > ADAM uses standard windows APIs, LogonUser specifically. This results in a > > logon request, which is done either Kerberos or NTLM over secure channel. > > So, in any case, the password is never exposed in clear text. > > > > -- > > Dmitri Gavrilov > > SDE, Active Directory Core > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > > in message news:OdBR#LfdEHA.2376@tk2msftngp13.phx.gbl... > > > Generally, the idea here is to use AD secure binding with Active > Directory > > > accounts and encrypt the channel with SSL for ADAM user binds, like you > > > said. The trick from my point of view is knowing how to recognize an > ADAM > > > user from an AD user by their username so you know when to add the > Secure > > > flag. Having very different UPN suffixes should work here. > > > > > > When using secure binding with AD, SASL is used. Under the hood it is > the > > > Negotiate protocol which will end up as NTLM or Kerberos. > > > > > > Joe K. > > > > > > "Seow" <seowfun@hotmail.com> wrote in message > > > news:cd21d7dc.0407291603.56fe821@posting.google.com... > > > > I have a SSL question regarding bind redirection in ADAM. Since bind > > > > redirection only works for simple bind, and simple bind send pw in > > > > plaintext across the network, we need to setup SSL connection between > > > > the client & ADAM for security reason. > > > > > > > > What about connection between ADAM & AD? I don't think we need to > > > > setup SSL between these two, as the pw should be sent thru secure > > > > channel, right? If so, what mechanism does it use? SASL? > > > > > > > > Thanks! > > > > > > > > > > > >
- Next message: 1st timer on AD 2003: "New 2003 AD server"
- Previous message: AdminKen: "Re: ADC not working - E5.5 to E2K3 migration"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ADAM Bind Redirection question"
- Next in thread: Seow: "Re: ADAM Bind Redirection question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
