Re: ADAM Foreign Principal Group Membership.
- From: "Robert Rolls" <implatform@xxxxxxxxxxxxxxx>
- Date: Wed, 13 Apr 2005 07:35:11 +1000
My step 2 doesn't read from rootDSE (if my users live within ADAM) it reads
from the application partition the same path I use to locate the user - step
2 uses the SearchResults.Path as the root for Step 2.
Joe, Have you got some pseudo code for combining step 1-2 if I had a
distinguished name?
Robert.
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:#zQpia5PFHA.3076@xxxxxxxxxxxxxxxxxxxxxxx
> I don't think it is possible to combine 1 and 2, because 2 reads from
> rootDSE, while 1 reads from some object (the FPO?).
>
> At some point, I considered adding tokenGroups as a constructed attribute
on
> FPOs (like we have them on users). However, it proved to be not very
useful,
> because you need to have the *complete* windows token to get the full ADAM
> group membership, as opposed to a single user SID.
>
> And in order to get the complete windows token, you need to authenticate.
I
> guess there's another approach -- read tokenGroups from AD first, then
> expand with ADAM sids... In Longhorn, maybe. But in any case, this will
only
> include AD groups, and not local groups or Windows builtin sids. So, the
> safest way is still to authenticate the user, and in this case, this is
> actually possible because there's no double-hop.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
> in message news:e5xDyT4PFHA.3076@xxxxxxxxxxxxxxxxxxxxxxx
> > That is the only way that I know. You either impersonate or bind with
> > their explicit credentials (if you have them). Since there is no
"object"
> > in the directory that represents the foreign principal, there isn't
> > anything else you can really do besides binding with that security
context
> > and using the ADAM feature that creates a "virtual" tokenGroups
attribute
> > for you.
> >
> > I think you could possibly combine the 1 and 2 queries for an ADAM user
if
> > you knew their DN, but otherwise it would take 2 queries. You can
> > definitely get sta ndard attributes AND tokenGroups from a base-level
> > search at the same time. You just need a DN, GUID or SID you can use to
> > do the base-level search against. If they authenticated with UPN, you
> > would need to do a search to convert the UPN to DN.
> >
> > The group SID->friendly name conversion must also be done with a search
if
> > you need friendly names. So judicious caching on the application can
make
> > that go a lot faster though.
> >
> > HTH,
> >
> > Joe K.
> >
> >
> >
> > "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in message
> > news:eBeinQ1PFHA.1932@xxxxxxxxxxxxxxxxxxxxxxx
> >> Joe,
> >>
> >> Thanks for that - is binding using the impersonated token the only way
> >> you
> >> can retrieve the group membership of a foreign principal in ADAM? Also
is
> >> it
> >> standard to have to do three queries when retrieving user information
> >> (users
> >> in ADAM no AD)?
> >>
> >> 1. locate and retrieve some standard properties - maybe displayname/cn
> >> etc..
> >> 2. Retrieve the token groups
> >> 3. Retrieve the cn(s) of the tokenGroup sids
> >>
> >> Each of the above is a single query (I use the objectSid=\xx\xx query
for
> >> step 3)
> >>
> >> Rob.
> >>
> >>
> >>
> >>
> >>
> >>
> >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
> >> wrote
> >> in message news:uQXtBTuPFHA.2680@xxxxxxxxxxxxxxxxxxxxxxx
> >>> If ADAM is on the same box, then delegation is not needed. You need
> >>> delegation to overcome the "double-hop" issue where your credentials
> >> cannot
> >>> go from user's workstation to web server to application server (and
> >> beyond).
> >>> If application server is same as web server, there is no double-hop.
> >>>
> >>> So, you should just be able to impersonate, bind to ADAM and get your
> >>> tokenGroups from rootDSE which then should have your ADAM and AD
groups
> >>> in
> >>> them.
> >>>
> >>> Joe K.
> >>>
> >>> "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in message
> >>> news:%23ebUP1tPFHA.2468@xxxxxxxxxxxxxxxxxxxxxxx
> >>> > Joe,
> >>> >
> >>> > Yes - Integrated Authentication only no anonymous access allowed.
> >>> > Yes - ADAM is the store for application-specific groups that we
cannot
> >>> > store
> >>> > in AD (political things afoot)
> >>> >
> >>> > So the only way to retrieve the foreign principal tokenGroups is to
> >>> > impersonate and use default credentials (i.e. the thread token)
> >>> > To impersonate I have to enable account delegation (care to
elaborate
> >> why?
> >>> > ADAM may be sitting on the same box as we may use replication across
> >>> > the
> >>> > app
> >>> > cluster?)
> >>> >
> >>> > I appreciate your patience on this - I'll have a go with the
> >> impersonation
> >>> > today.
> >>> >
> >>> > Thanks
> >>> > Rob.
> >>> >
> >>> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
> >> wrote
> >>> > in message news:ePdr5EqPFHA.2468@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> So, just to be clear, you are authenticating users in IIS using
> >> standards
> >>> >> Windows authentication, right (basic, digest, IWA)?
> >>> >>
> >>> >> Then, you are essentially using ADAM as a store for
> >> application-specific
> >>> >> groups that you don't want to addd to AD?
> >>> >>
> >>> >> If that is the case, then you should be able to impersonate the
> >>> >> authenticated user on your web server and then bind to ADAM with
> >> default
> >>> >> credentials. Assuming your credentials can delegate, you should be
> >> able
> >>> > to
> >>> >> bind to ADAM with the current user's security context and then get
> >>> >> tokenGroups from RootDSE. The delegation will be the tricky part.
> >>> >>
> >>> >> If this isn't your scenario, can you back up and explain it again
in
> >> more
> >>> >> detail? How are the AD users being authenticated in the
application?
> >>> >>
> >>> >> Joe K.
> >>> >>
> >>> >>
> >>> >> "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in message
> >>> >> news:uOIWZHoPFHA.3292@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> > sorry for being stupid -
> >>> >> >
> >>> >> > the user object yep wont work for AD and hence the problem - read
> >>> >> > tokenGroups from the root DSE - ok lets answer these in turn
> >>> >> >
> >>> >> > 1. If the user lives in AD but is a member of groups in ADAM
doing
> >> step
> >>> > 3
> >>> >> > will not work.
> >>> >> > I agree as I don't have the users in ADAM only group membership.
> >>> >> >
> >>> >> > 2. reading tokenGroups from root DSE - If I don't have the user's
> >>> >> > credentials i.e. the password how do I bind?
> >>> >> > I don't bind using the user credentials I bind using the
> >>> >> > executable's
> >>> >> > principal.
> >>> >> >
> >>> >> > Look I'm really sorry for being stupid - but given that I don't
> >>> >> > bind
> >>> > using
> >>> >> > the AD user's credentials that I'm trying to retrieve the group
> >>> > membership
> >>> >> > (I bind using the executables identity an admin in this case) as
I
> >>> >> > don't
> >>> >> > have them and given that I have to bind to rootDSE how do I do so
> >>> >> > if
> >> I
> >>> >> > don't
> >>> >> > have the users credentials (the one I'm trying to retrieve the
> >>> >> > group
> >>> >> > membership) If this doesn't make any sense I'm really sorry as I
> >>> >> > see
> >> to
> >>> > be
> >>> >> > struggling to understand what I'm meant to do.
> >>> >> >
> >>> >> > Given Step 3 below if all my users are in ADAM it works - how do
I
> >>> >> > do
> >>> >> > it
> >>> >> > for
> >>> >> > non ADAM users who are members of ADAM groups.
> >>> >> >
> >>> >> > Rob.
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> > "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in
> >>> >> > message
> >>> >> > news:eMngtCmPFHA.2956@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> One thing I noticed -- in step 3 you apparently read tokenGroups
> >> from
> >>> > the
> >>> >> >> user object. This won't work for an AD user, because there's no
> >>> >> >> user
> >>> >> > object
> >>> >> >> in ADAM to read it from. You should read tokenGroups from the
> >> rootDSE
> >>> >> >> (emptyDN) -- note Joe has given some code to do this below. This
> >> will
> >>> >> >> work
> >>> >> >> for both ADAM and AD users.
> >>> >> >>
> >>> >> >> --
> >>> >> >> Dmitri Gavrilov
> >>> >> >> SDE, Active Directory Core
> >>> >> >>
> >>> >> >> This posting is provided "AS IS" with no warranties, and confers
> >>> >> >> no
> >>> >> > rights.
> >>> >> >> Use of included script samples are subject to the terms
specified
> >>> >> >> at
> >>> >> >> http://www.microsoft.com/info/cpyright.htm
> >>> >> >>
> >>> >> >> "Joe Kaplan (MVP - ADSI)"
> >>> >> >> <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
> >>> >> >> wrote
> >>> >> >> in message news:uIdwRUePFHA.3188@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> > How is your authentication in IIS working? Are you using
Basic
> >>> >> >> > authentication or IWA? How is it that you are authenticating
> >> users
> >>> > in
> >>> >> >> > ADAM with IIS without some form of custom forms
authentication?
> >> IIS
> >>> >> > will
> >>> >> >> > only authenticate Windows users using the built-in stuff.
> >>> >> >> >
> >>> >> >> > That said, I think you can connect to ADAM using the Windows
> >> user's
> >>> >> >> > security context by impersonating and doing a secure bind.
You
> >>> >> >> > would
> >>> >> > need
> >>> >> >> > Kerberos delegation if you are using IWA and ADAM is on a
> >> different
> >>> >> >> > server.
> >>> >> >> >
> >>> >> >> > One we understand your authentication model better, I think
we
> >> can
> >>> >> >> > make
> >>> >> >> > more progress.
> >>> >> >> >
> >>> >> >> > Joe K.
> >>> >> >> >
> >>> >> >> > "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in message
> >>> >> >> > news:%23yiTj6bPFHA.2736@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> >> Joe,
> >>> >> >> >>
> >>> >> >> >> Here's what I have -
> >>> >> >> >>
> >>> >> >> >> 1. Retrieve the IIS LOGON_USER server variable
> >>> >> >> >> 2. Query AD looking for the user object associated with value
> >>> >> >> >> of
> >>> >> >> >> the
> >>> >> >> >> LOGON_USER (using the current process Identity for the bind)
> >>> >> >> >> 3. Later using the SearchResults.Path value (returned by the
> >>> >> >> >> step
> >>> >> >> >> 2)
> >>> >> >> >> do
> >>> >> > a
> >>> >> >> >> property refresh asking for tokenGroups.
> >>> >> >> >>
> >>> >> >> >> At no point do I bind using the AD users credentials as I
don't
> >>> >> >> >> have
> >>> >> > any,
> >>> >> >> >> I
> >>> >> >> >> only have a name returned by the IIS LOGON_NAME server
> >>> >> >> >> variable.
> >>> >> >> >>
> >>> >> >> >> If I do the above with my users living in ADAM everything
works
> >> as
> >>> >> >> >> expected - the problem now is from the responses I've had so
> >>> >> >> >> far
> >> it
> >>> >> >> >> appears
> >>> >> >> >> that I can't get tokenGroups for non-ADAM users who are
members
> >> of
> >>> >> >> >> ADAM
> >>> >> >> >> groups as I have to bind with their credentials.
> >>> >> >> >>
> >>> >> >> >> I apologies if I'm missing the point but I'm no ADAM or AD
> >> expert.
> >>> >> >> >>
> >>> >> >> >> Regards
> >>> >> >> >> Robert.
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> "Joe Kaplan (MVP - ADSI)"
> >>> >> >> >> <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
> >>> >> >> >> wrote
> >>> >> >> >> in message news:uJJj2K8OFHA.2824@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> >>> If you want to get the AD user's tokenGroups from ADAM, you
> >> don't
> >>> >> > really
> >>> >> >> >> do
> >>> >> >> >>> a query. You bind to RootDSE using Secure bind with the
> >>> >> >> >>> user's
> >>> >> >> >> credentials
> >>> >> >> >>> and get tokenGroups from that.
> >>> >> >> >>>
> >>> >> >> >>> As I recall though, a bug in ADSI requires that you use the
> >> GC://
> >>> >> >> >>> provider
> >>> >> >> >>> instead of LDAP. Just use the same port you do for ADAM and
> >>> >> >> >>> it
> >>> > will
> >>> >> >> >>> work.
> >>> >> >> >>> Additionally, you don't specify rootDSE explicitly, just
leave
> >> the
> >>> > DN
> >>> >> >> >>> part
> >>> >> >> >>> null:
> >>> >> >> >>>
> >>> >> >> >>> new DirectoryEntry("GC://youradam.domain.com:389", null,
null,
> >>> >> >> >>> AuthenticationTypes.Secure);
> >>> >> >> >>> //refreshe cache on it to get tokenGroups
> >>> >> >> >>>
> >>> >> >> >>> However, if ADAM is on a different machine, you'll also
> >>> >> >> >>> probably
> >>> > need
> >>> >> >> >>> Kerberos delegation working to get this bind to work.
> >>> >> >> >>>
> >>> >> >> >>> Joe K.
> >>> >> >> >>>
> >>> >> >> >>> "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in message
> >>> >> >> >>> news:umByl5uOFHA.164@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> >>> >I don't know the credentials of the AD user all I've got is
> >>> >> >> >>> >the
> >>> > name
> >>> >> > as
> >>> >> >> >>> > defined within the IIS server variable LOGON_USER as we're
> >> using
> >>> >> >> >>> > integrated
> >>> >> >> >>> > authentication (I bind using the context if the running
> >>> > application
> >>> >> >> >>> > all
> >>> >> >> >>> > we're using adam for is authorization). When my users live
> >>> >> >> >>> > within
> >>> >> > ADAM
> >>> >> >> >> to
> >>> >> >> >>> > get the tokengroups I create a DirectoryEntry using the
Path
> >> as
> >>> >> >> >>> > returned
> >>> >> >> >>> > by
> >>> >> >> >>> > the SearchResult.Path (when attempting to locate the
user).
> >> Once
> >>> >> > I've
> >>> >> >> >> got
> >>> >> >> >>> > the DirectoryEntry I simply retrieve the tokengroups with
a
> >>> >> >> >>> > dir.RefreshCache
> >>> >> >> >>> > all works lovely jubblie.
> >>> >> >> >>> >
> >>> >> >> >>> > So I assume my question now is if I can't bind using the
AD
> >>> >> >> >>> > credentials
> >>> >> >> >>> > what
> >>> >> >> >>> > query do I use? SID?
> >>> >> >> >>> >
> >>> >> >> >>> > Thanks
> >>> >> >> >>> > Rob.
> >>> >> >> >>> > dir = new DirectoryEntry(identity.Path);
> >>> >> >> >>> >
> >>> >> >> >>> > dir.RefreshCache(new string[] { tokenGroupsProperty });
> >>> >> >> >>> >
> >>> >> >> >>> > PropertyValueCollection tGroup =
> >>> >> > dir.Properties[tokenGroupsProperty];
> >>> >> >> >>> >
> >>> >> >> >>> > // move the byte[] sids to an arr list for the object[]
> >>> >> >> >>> > array.
> >>> >> >> >>> >
> >>> >> >> >>> > System.Collections.ArrayList sidList = new
> >>> >> >> >>> > System.Collections.ArrayList(tGroup.Count);
> >>> >> >> >>> >
> >>> >> >> >>> > sidList.AddRange(tGroup);
> >>> >> >> >>> >
> >>> >> >> >>> > "Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
> >>> >> >> >>> > news:OL9x0wpOFHA.2132@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> >>> >> Hi
> >>> >> >> >>> >>
> >>> >> >> >>> >> AD tokenGroups will have no information on ADAM
> >>> >> >> >>> >> groups/roles
> >>> >> >> >>> >> however if you bind to the ADAM instance rootDSE with the
> >>> >> >> >>> >> credentials of the AD user and do a base search for the
> >>> >> >> >>> >> tokenGroups
> >>> >> >> >>> >> attribute it will contain the domain tokenGroups for the
> >>> >> >> >>> >> authenticated
> >>> >> >> >>> > user
> >>> >> >> >>> >> augmented with any ADAM group/role SIDs that obtain.
> >>> >> >> >>> >>
> >>> >> >> >>> >> Lee Flight
> >>> >> >> >>> >>
> >>> >> >> >>> >> "Robert Rolls" <implatform@xxxxxxxxxxxxxxx> wrote in
> >>> >> >> >>> >> message
> >>> >> >> >>> >> news:O3gJBEpOFHA.2728@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> >> >>> >> > Apologies up front as I'm a complete numbie with this
> >> ADAM/AD
> >>> >> >> >>> >> > thing.
> >>> >> >> >>> >> >
> >>> >> >> >>> >> > I'm using ADAM to store authorization data - I have a
few
> >>> > groups
> >>> >> >> >>> > defined.
> >>> >> >> >>> >> > My
> >>> >> >> >>> >> > users live in my domain AD.
> >>> >> >> >>> >> > I've added some users in my domain AD as membersOf the
> >> groups
> >>> >> > I've
> >>> >> >> >>> > defined
> >>> >> >> >>> >> > in ADAM.
> >>> >> >> >>> >> >
> >>> >> >> >>> >> > The problem I have is I've no idea how to retrieve the
> >> groups
> >>> >> > that
> >>> >> >> >>> >> > a
> >>> >> >> >>> > user
> >>> >> >> >>> >> > belongs to? I understand I need to query for
tokengroups
> >> and
> >>> >> >> >>> >> > I've
> >>> >> >> >>> >> > got
> >>> >> >> >>> > this
> >>> >> >> >>> >> > working if the users exist within ADAM - I search for a
> >> user
> >>> >> > based
> >>> >> >> >>> >> > on
> >>> >> >> >>> >> > userPrincipalName retrieve the path (distinguished
name)
> >>> >> >> >>> >> > I
> >>> > then
> >>> >> > do
> >>> >> >> >>> > another
> >>> >> >> >>> >> > query to retrieve the tokengroups (refreshcache) it all
> >> works
> >>> >> > like
> >>> >> >> >>> >> > a
> >>> >> >> >>> > dream
> >>> >> >> >>> >> > if the users live within ADAM.
> >>> >> >> >>> >> >
> >>> >> >> >>> >> > However - How do I retrieve the tokengroups for users
> >>> >> >> >>> >> > that
> >>> > live
> >>> >> >> >> within
> >>> >> >> >>> > AD
> >>> >> >> >>> >> > but have group membership within ADAM.
> >>> >> >> >>> >> >
> >>> >> >> >>> >> > Regards
> >>> >> >> >>> >> > Robert.
> >>> >> >> >>> >> >
> >>> >> >> >>> >> >
> >>> >> >> >>> >>
> >>> >> >> >>> >>
> >>> >> >> >>> >
> >>> >> >> >>> >
> >>> >> >> >>>
> >>> >> >> >>>
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >
> >>> >> >> >
> >>> >> >>
> >>> >> >>
> >>> >> >
> >>> >> >
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>>
> >>>
> >>
> >>
> >
> >
>
>
.
- Follow-Ups:
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- References:
- ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Lee Flight
- Re: ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- From: Robert Rolls
- Re: ADAM Foreign Principal Group Membership.
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADAM Foreign Principal Group Membership.
- From: Dmitri Gavrilov [MSFT]
- ADAM Foreign Principal Group Membership.
- Prev by Date: AD/Exchange Replication
- Next by Date: Re: Delegate password reset, but restrict views
- Previous by thread: Re: ADAM Foreign Principal Group Membership.
- Next by thread: Re: ADAM Foreign Principal Group Membership.
- Index(es):
Relevant Pages
|
