Re: adam bind-redirect

Hi

inline below...

"mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1FCF03D-C783-494C-86E4-2EAE47B549BB@xxxxxxxxxxxxxxxx
>I am trying to understand if
> our organization needs, could benefit from bind redirect/User Proxy Object
> or perhaps should skip using it.

You might want to review the following with regard to bind proxies

http://groups-beta.google.com/group/microsoft.public.windows.server.active_directory/msg/20cfddc120540fcc?hl=en&lr=&ie=UTF-8

>
> Our situation is as follows:
> Our applications are ASP.Net apps running on IIS 6.0 and windows 2003.
> Our Adam will have a user store where we put custom user attributes.
> that are not in active directory.
> We will also be using Azman. The store for Azman will also be an ADAM.
>
> Internal Users/Apps.
> We an internal Active Directory.
> We will be using integrated security for internal applications
>
> External Users/Applications:
> Authentication is going to be handled by a third party.
> They have there own SSO solution thats similar to forms authentication.
> In addition, they have there authenticating agains there own Active
> Directory.
>
> The adam will be located in our domain and we will be setting up a
> trust between our domain and theres. So we can assign users to roles
> from Azman.
>
> Each environment (Internal/External) will have there own ADAM.

If I read that correctly you are saying have two domains or from
a security standpoint perhaps two forests with trust between them
and the ADAM instances for both forests live in just one (the internal)
forest.

> Comments:
> 1.If our are web apps are using integrated security we have
> already authenticated the user in Active Directory. Isnt that
> what the bind-redirect does (authenticates the user)?

Integrated authentication gives you a Windows security context
that you can examine to find your roles/groups within the scope of
the Windows domain.

Bind proxy requires an LDAP simple bind using the credentials
of the Windows principal and what you get as a result is access
to the data in the ADAM instance assuimng the ACLs on the data
have been set appropriately. Optionally, upon successful completion
of the bind you can retrieve a token from the ADAM instance that
will contain your domain and ADAM group membership as a list of
SIDs.

> Doing a bind redirect requires the username and password of the user being
> authenticated. Correct or not?

Bind redirect requires the distinguishedName or userPrincipalName (if set)
of the bind proxy object in the ADAM naming context and the Windows
password of the corresponding AD user.

> The advantage is see by doing a bind redirect is that the user
> automatically
> receives membership to the "Users" group in ADAM.

I'm not sure what the advantage is there, often you have to add the Users
role to the Readers role in a naming context to gain useful access (although
it can be more fine-grained). In the same way if you read the post at the
link above and the ADAM Help you will see that adding a Windows group e.g.
Authenticated Users would give access for your AD accounts with no
bind proxy.

> ("When a user binds to an ADAM instance through a proxy object,
> the user receives membership in the Users group on each naming
> context that is held by the ADAM instance.")

Certainly the bind proxy gets membership of Users role for the naming
context that contains it and of the Users role of the Configuration
naming context of the instance.

> 2. The reviewers guide documentation:
> I think the below statement is misleading or needs to be clarified
> "With Active Directory Application Mode,
> you can use bind redirection to provide Active Directory users
> with access to both ADAM data and Active Directory data,
> using Active Directory domain credentials as a single sign on (SSO)."

If think a clearer explanation is at the link above. A common
misunderstanding
with bindProxy and AD account authentication to ADAM is that in the tailored
schema situation that the attributes in ADAM will somehow be picked up
as a pass-through, whereas it is the burden of the application to make the
join
between the ADAM and AD attributes.

HTH
Lee Flight


.

Relevant Pages

  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... There was a similar problem discussed here a while ago, see "ADAM user ... I have been using ADAM bind proxy to authenticate users against AD. ... a.ADAM bindproxy authentication was working fine. ... DirectoryEntry user = new DirectoryEntry(userDN, ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... You won't be able to do a proxy bind if you don't have the ... This will work only if ADAM ... >>> being authenticated (as in windows authentication or ... >> of the bind proxy object in the ADAM naming context and the Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... to the Readers role for an ADAM NC and it worked fine for binding ADAM ... In this thread the original poster is using bind proxies so it might be ... Readers role, he could add the Users role to the Readers role which would ... > Could he also just bind to RootDSE in order to force an authentication? ...
    (microsoft.public.windows.server.active_directory)