Re: ADAM and Authorization and Profile Application Block

From: svesax (sveto.compri_at_gmail.com)
Date: 10/29/04

• Next message: Chris: "Re: Wrong Machine Role listed in Active Directory"
• Previous message: Tim De Meyer: "Re: Old netbios network name appears after domain rename"
• In reply to: Lee Flight: "Re: ADAM and Authorization and Profile Application Block"
• Next in thread: svesax: "Re: ADAM and Authorization and Profile Application Block"
• Messages sorted by: [ date ] [ thread ]

Date: 29 Oct 2004 02:20:16 -0700

Hi, I have found a compromise to my problem (using Authorization and
Profile Application Block with ADAM).
What I have see in my little research is also the Authorization
Manager (azMan) present in Win2003.
I liked very much the model of azMan, really complete with roles,
tasks, operations and so...
The problem now was for me integrate Authorization and Profile
Application Block, azMan and ADAM.
Natively, when you install Authorization and Profile Application
Block, it come with azMan provider,
but azMan natively can use only users from AD, not from ADAM.
Then steps for integration are:
-install Authorization and Profile Application Block
-personalize the provider (azManProvider) for getting context of users
in Authorization Store NOT coming from AD, but from ADAM.
 this is possible using InitializeClientContextFromStringSid where you
have to pass a SID rather than a token.
 the example in http://www.ftponline.com/vsm/codepage.asp?loccode=vs0405dd
show how to do this.
 this is the modified provider:
 
        private IAzClientContext GetClientContext(IIdentity identity,
String applicationName, out IAzApplication azApp) {
                        IAzClientContext clientCtx=null;

            AzAuthorizationStoreClass store = new
AzAuthorizationStoreClass();
            Debug.Assert(store != null, "store should not be null");
            
                        
                        store.Initialize(0, azManStore, null);
            azApp = store.OpenApplication(applicationName, null);
            Debug.Assert(azApp != null, "could not open the
application");
                        switch (identity.AuthenticationType)
                        {
                                case "NTLM":
                                        WindowsIdentity winIdentity = identity as WindowsIdentity;
                                        if (winIdentity == null)
                                        {
                                                throw new SecurityException(ResourceTable.GetString(ResourceTable.WinIdentity));
                                        }
                                        clientCtx = azApp.InitializeClientContextFromToken((UInt64)winIdentity.Token,
null);
                                        break;
                                case "ADAM":
                                        BancaWoolwich.Profilation.ADAM.AdamIdentity adamIdentity=
identity as BancaWoolwich.Profilation.ADAM.AdamIdentity;
                                        if (adamIdentity == null)
                                        {
                                                throw new SecurityException(ResourceTable.GetString(ResourceTable.ADAMIdentity));
                                        }
                                        
                                        clientCtx = azApp.InitializeClientContextFromStringSid(adamIdentity.AdamUserSID,(int)tagAZ_PROP_CONSTANTS.AZ_CLIENT_CONTEXT_SKIP_GROUP,null);
                                        break;
                        }

            Debug.Assert(clientCtx != null, "could not get the
context");
            return clientCtx;
        }

 how you note, you have to pass an identity containig the ADAM SID
user. This is possible by modifing the Identiy class
 adding a property (in my code is adamIdentity.AdamUserSID)

-Authorization Manager, permit you to save the store in XML o Active
Directory. I prefer to save Authorization information (roles,
operations...)
 in ADAM, not in a XML file. To do so, you have to create a sore from
Auth Manager MMC by setting the location of the sore
 like this: msldap://localhost:389/CN=AuthorizationStore,DC=MyPartition,DC=MyOrganization,DC=COM.
 To do this, when you install ADAM you have to import classes User AND
AzMan. Then you can pass to the provider this store location.
 
The result of this is:
-You have your users in ADAM
-You can create and assign operations to roles with MMC Authorization
Manager (very cool...)
-The definition of roles, operations... are saved in ADAM
-You have to map users in ADAM to roles in Authorization Store with an
application (not with MMC because MMC permit to map only AD users).
The examplke Sync is contained in
http://www.ftponline.com/vsm/codepage.asp?loccode=vs0405dd
-You have the flexibility of Authorization and Profile Application
Block that permitt you to create another provider (I have created one
that read authorization information from a XML file without using
azMan (for Windows 2000 machine that not have AdminPak 2003)

Remember Authorization manager come with Windows 2003 natively, but
you can install it on XP by downloadind AdminPAk for 2003 from
Microsoft site.
I have not found AdminPak 2003 for Windows 2000, if somebody have,
please write.
This is all, maybe was obvious for somebody, but not for me...
bye and enjoy,
sveto

• Next message: Chris: "Re: Wrong Machine Role listed in Active Directory"
• Previous message: Tim De Meyer: "Re: Old netbios network name appears after domain rename"
• In reply to: Lee Flight: "Re: ADAM and Authorization and Profile Application Block"
• Next in thread: svesax: "Re: ADAM and Authorization and Profile Application Block"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint