Re: Anonymous LDAP Access Problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

It doesn't sound like you are accessing AD anonymously. It sounds like your
ADSI code is authenticating with the current Windows user's credentials,
which works when that is a domain account, but does not when that account is
a local machine account.

AD in 2003 doesn't actually allow anonymous searches at all, so if you were
to try that, it would probably not work. Doing anonymous auth requires
using empty strings for your credentials in OpenDsObject and passing in the
"anonymous" authentication flag.

It might be easier if you just enabled basic authentication in IIS rather
than trying to do your own authentication in ADSI. That would immediately
fix your problem here.

Another thing to consider is that you don't need the user's DN to
authenticate them. Simply binding to RootDSE with their credentials will
authenticate them. The only reason to get their DN is if you need to look
up some additional information for them.

Joe K.

"JayMG" <JayMG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BB51272C-1BB4-46B0-B415-24B71B53730D@xxxxxxxxxxxxxxxx
Hi,

I have an ASP application that I am using to authenticate users. The
application takes a unique user id and searches LDAP anonymously to return
the ADSPath for the id. I then go back and authenticate the user using the
ADSPath and their password.

The problem is that the LDAP anonymous access search only works if I
configure the anonymous account for my website (via IIS Manager) to a
domain
account. If I set it as a local IUSR account I cannot connect.

I spoke to the guys that administer AD here and they said that anonymous
access should allow anyone to access LDAP and search to retrieve "allowed"
attribute which is confusing me.

Can anyone confirm the default behaviour of anonymous access to LDAP?
(i.e
would I have to run my website with a domain account? or should it not
matter?).

Many thanks,

Jay.




.

Relevant Pages

  • Re: Child Domain access
    ... should be able to authenticate in the child domain with domain / ent admin ... account which exists in the TRUSTED parent domain? ... >You can be authenticated by any domain that you have credentials in. ... >So you logon TO A PC - using a set of credentials from a particular domain ...
    (microsoft.public.windows.server.active_directory)
  • Design/Pattern guidance to refector my current design for unit testing
    ... short requiredRoleID, out UserAccount account); ... When the application consuming AuthMgr starts up, ... Authenticate auth = new Authenticate; ... // This stuff is all here so I can unit test the authentication system ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Child Domain access
    ... > You wrote...."So you logon TO A PC using a set of credentials from a ... > should be able to authenticate in the child domain with domain / ent admin ... > account which exists in the TRUSTED parent domain? ... So if the PC is in the child domain you can logon to IT ...
    (microsoft.public.windows.server.active_directory)
  • Re: Requiring User Name and Password for Connection to Network Res
    ... If you don't have a matching account on the server, and if the Guest account on ... then the server should request that you authenticate ...
    (microsoft.public.windowsxp.network_web)
  • Windows cannot connect to the domain & Event ID 3210 5722 - Lots of Details!
    ... domain controller for domain DOMAIN, ... This inability to authenticate might be caused by ... password for this computer account is not recognized. ... DNS addresses and there is only one network card in the computer. ...
    (microsoft.public.windows.server.active_directory)