Re: ADAM authentication failure.

Wow. Thanks again for all of the extra details. We can defnitely use this
to provide some "best practices" guidance for people. I think sticking with
DN and UPN is good practice, as long as steps are taken to ensure UPN is not
duplicated. This is non-trivial in a replicated environment, but is worth
putting some effort into if it is really important. This really applies to
AD as well if UPNs are being assigned.

The objectGUID, displayName, SPN and such options were a total revelation to
me though.

Joe K.

"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ueR35oSNGHA.1124@xxxxxxxxxxxxxxxxxxxxxxx
Wanted to point couple interesting consequences of the info below.

If you have user1 whose displayName is Dmitri, and user2 whose
userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then
you'll authenticate as user1.

If you have two users whose displayName is Dmitri, then you won't be able
to bind. Same for UPN.

So, I guess I am going to revise the statement below. The only
"guaranteed" way to bind is to use the DN, because we guarantee the
uniqueness of this one. Everything else will be a wild guess :)

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OKFtWaSNGHA.3144@xxxxxxxxxxxxxxxxxxxxxxx
DN and UPN are the "gauranteed" ones. Everything else is pretty much a
wild guess. So, we are basically doing a CrackName call with "unknown
input format". It tries to apply several formats, in the following order:

FQDN_1779_NAME
CANONICAL_NAME
UNIQUE_ID_NAME (guid)
DISPLAY_NAME
SERVICE_PRINCIPAL_NAME
SID_OR_SID_HISTORY_NAME (stringized sid iirc)
CANONICAL_NAME_EX (slightly differently formatted canonical name)
USER_PRINCIPAL_NAME

Note if the string does not look like it matches the format (e.g. does
not look like a DN or a guid), then we do not try to actually search for
it.

Note displayName matches any string, so it actually takes precendence
over UPN. UPN too matches any string (but only in ADAM).

The list above is for ADAM. AD uses a similar algorithm for simple binds.
But the matching order for AD is slightly different:

FQDN_1779_NAME
USER_PRINCIPAL_NAME (must match user@domain pattern)
NT4_ACCOUNT_NAME (domain\username)
CANONICAL_NAME
UNIQUE_ID_NAME (guid)
DISPLAY_NAME
SERVICE_PRINCIPAL_NAME
SID_OR_SID_HISTORY_NAME
CANONICAL_NAME_EX

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:unhYDlBNGHA.984@xxxxxxxxxxxxxxxxxxxxxxx
Geez, I just tested it and it works as Lee advertised. Sigh.

canonicalName and displayName too...

Joe K.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:ey87yiBNGHA.1124@xxxxxxxxxxxxxxxxxxxxxxx
Since when are canonicalName and displayName supported for simple bind?
I thought it was just DN and UPN? Crap, my book is wrong and it is
already too late! Argh!

Joe K.

"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:eiJjF0ANGHA.4052@xxxxxxxxxxxxxxxxxxxxxxx
Hi

in ADAM SP1 you have two options for binding as an ADAM user:

simple bind (using distinguishedName or canonicalName or
displayName or userPrincipalName)
or

digest bind (using distinguishedName)

any other SASL bind (NTLM,Kerberos,negotiated) will only work
for a local or domain windows account.

Lee Flight












.

Relevant Pages

  • Re: ADAM authentication failure.
    ... If you have user1 whose displayName is Dmitri, ... userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then ... If you have two users whose displayName is Dmitri, then you won't be able to ... UPN too matches any string (but only in ADAM). ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM authentication failure.
    ... CanonicalName is a constructed attribute, ... My list for the simple bind of user was the four that are ... If you have user1 whose displayName is Dmitri, ... Same for UPN. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM authentication failure.
    ... in the ADAM docs (digest bind is just DN as that is the only MUST in the RFC ... Is canonicalName also "guaranteed" as that would seem to be unique? ... If you have user1 whose displayName is Dmitri, ... If you have two users whose displayName is Dmitri, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Scripting to change AD attribute
    ... I'm trying to write a script to change the displayname attribute by ... ADO is read only and cannot be used to modify attributes in AD. ... You must bind to the objects. ... I agree that binding to each object slows the script and offsets the ...
    (microsoft.public.scripting.wsh)
  • Re: Scripting to change AD attribute
    ... I'm trying to write a script to change the displayname attribute by ... ADO is read only and cannot be used to modify attributes in AD. ... You must bind to the objects. ... Dim adoCommand, adoConnection, strBase, strFilter, strAttributes ...
    (microsoft.public.scripting.wsh)
Loading