Re: DNS/Kerberos/LDAP integration question

Tech-Archive recommends: Fix windows errors by optimizing your registry

Not that they need it, but I concur with Al and JoeK. DNS finds the DCs to authenticate against and kerberos does the authentication. There are folks that artificially force apps to use LDAP for auth but that isn't the intent behind LDAP.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

        http://www.joeware.net/win/ad3e.htm



Joe Kaplan (MVP - ADSI) wrote:
LDAP is not involved in the logon process. The best way to understand what happens is to use a packet sniffer. Perhaps you could hook up a machine via a hub and capture some packets while another machine logs on? Look for port 389 access to the domain controller if you are checking for LDAP. Kerberos is 88, etc. There is no better way to understand what happens on the wire than to do some packet sniffing.

Note that as I said before, this does not include any LDAP code in logon scripts and such. We are just talking about the actual logon.

Joe K.

"Spin" <Spin@xxxxxxxx> wrote in message news:442f2cF2ic2U1@xxxxxxxxxxxxxxxxx
Thank you for your reply. It *un-muddles* me a bit, but still doesn't answer my question of whether LDAP is involved in the logon process. Your answer implies that it does not, and I am willing to accept that, provided no one else jumps in on this thread and proves us both wrong. :-)

--
Spin

"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message news:OKPdIYFJGHA.2900@xxxxxxxxxxxxxxxxxxxxxxx
LDAP is not an authentication protocol. LDAP is a directory access protocol (DAP, but that was designed for use with X.500 directories. LDAP is a "lightweight" version of that protocol).

Kerberos is an authentication protocol and DNS is a directory access protocol/system. All three are in use during a normal logon.

What makes you ask? Or does this answer your question?

Al

"Spin" <Spin@xxxxxxxx> wrote in message news:441tmtF1q01rjU1@xxxxxxxxxxxxxxxxx
When a user logs onto a workstation joined to an AD domain, the machine uses DNS to locate domain controllers in the users site, and the user then authenticates to the Active Directory instance on the domain controller DNS sent him to. Kerberos does this authentication, and LDAP is not involved in this situation at all? Or is at least not the most prominent protocol in this series of events?

--
Spin






.

Relevant Pages

  • Re: Kerberos Confusion / Design Questions
    ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ...
    (comp.protocols.kerberos)
  • LDAP + Kerberos = Bloody Nightmare!
    ... Kerberos, and want to stick with as much in the way of Debian-packaged ... Getting LDAP and Kerberos to work hasn't been ... use LDAP for authentication, but very little on getting LDAP to allow ... bind anonymously, bind via TLS and SSL, execute queries, and so on. ...
    (Debian-User)
  • LDAP + Kerberos = Bloody Nightmare!
    ... Kerberos, and want to stick with as much in the way of Debian-packaged ... Getting LDAP and Kerberos to work hasn't been ... use LDAP for authentication, but very little on getting LDAP to allow ... bind anonymously, bind via TLS and SSL, execute queries, and so on. ...
    (Debian-User)
  • Re: LDAP or Kerberos or am I all mixed up.
    ... LDAP paper that I found on IBM's site. ... authentication is done separately: ... The PACS web server will ... >> to see if they support LDAP or kerberos login. ...
    (RedHat)
  • Re: Need some tips on kerberizing our ENTIRE network
    ... When you ask about nagios support are you asking about authentication to the nagios interface or monitoring a KDC? ... was looking into using an ldap directory. ... and we should be considering the use of kerberos ...
    (comp.protocols.kerberos)