Re: ADAM Proxy Bind re-direction
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Mar 2006 21:38:19 -0600
There are two features in ADAM that allow you to authenticate AD users:
Pass-through authentication
Bind proxy
Pass-through auth is where you do a secure (GSS-SPNEGO) bind to ADAM with a
Windows user's credentials (including using IWA) to authenticate an Windows
user. ADAM here can authenticate users on the local machine and users that
the current machine has a trust relationship with.
Bind proxies allow you to have an actual object in ADAM that points to a
Windows user. You authenticate with an LDAP simple bind and ADAM redirects
the authentication back to ADAM.
There are two main reasons to use bind proxy:
- Your app can't do a secure/GSS-SPNEGO bind, so you can't use pass-through
auth
- You want to extend the schema of your bind proxy class to add additional
attribute data to the proxy object to service your application
I think the latter case is kind of interesting, even for apps that could use
secure bind.
Both pass-through and bind proxy are viable options and should probably be
used in the case where you would be considering creating normal ADAM users
and synching the password over from AD. Even though MIIS supports that,
password synch is still a bit icky IMO.
Those are my thoughts. I'm sure others will weigh in as well.
Joe K.
"Craig Gilmour" <CraigGilmour@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:00ECB97F-02AB-420E-A930-64110634D6AF@xxxxxxxxxxxxxxxx
All,
ADAM has a proxy bind redirection option See the following link:
http://technet2.microsoft.com/WindowsServer/en/Library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx
Scroll down to
"Bind Redirection for ADAM Proxy Objects"
Microsoft tends to recommend using Integrated Windows Auth where possible
(as I would as well), and only use the proxy auth mode for non Microsoft
apps
that require a direct LDAP authentication. However, I have not seen much
reference to it.
I have tested this myself and it seems to work quite well. I am curious as
to why this option does not get more "airplay". Perhaps it is because MIIS
didn't originally have a password sync function and now does!! Are there
people out there who have used it in production that has any opinion as to
whether it is a viable option? The only real downside that I can see is:
- passwords sent in clear text (or LDAPS) from ADAM to domain controller
However, the upside (over password sync) is:
- No DLL required on domain controllers
- No propogation delays related to password sync
- No real or perceived security issues around sending passwords from a
secure repository to other locations
- Passwords kept in a single spot in AD
MIIS could maintain ADAM and populate the SIDS as required.
Any thoughts / comments / recommendations on whether to use this or not.
regards,
Craig Gilmour
Unify Solutions
.
- Follow-Ups:
- Re: ADAM Proxy Bind re-direction
- From: Joe Richards [MVP]
- Re: ADAM Proxy Bind re-direction
- Prev by Date: RE: Client IP Logging
- Next by Date: win2k svr UPN
- Previous by thread: Restoring AD from System State
- Next by thread: Re: ADAM Proxy Bind re-direction
- Index(es):
Relevant Pages
|
Loading
