Re: ADAM & SASL Bind for Windows Security Principals

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 4 May 2006 23:36:32 -0500

There are really three bind authentication things you can do with ADAM:
- Use simple bind to authenticate an ADAM user
- Use SASL bind with GSS-SPNEGO to authenticate Windows user (domain or
local machine)
- Use simple bind to authenticate Windows user who is configured as a bind
proxy object in ADAM

Simple bind always passes a plain text password on the network. It is not
secure unless you add some transport security like SSL/LDAP.

SASL bind does not pass a plain text credential. With SPNEGO, the Windows
negotiate protocol is used. If Kerberos is selected, the LDAP client
actually contacts the KDC to authenticate and get a ticket to access the
server. If NTLM is used, then the standard NTLM challenge response thing is
done.

If you are every curious about what's happening, watch the traffic with a
packet sniffer like ethereal. It makes it all very clear.

Joe K.

"Milt" <mlbiii@xxxxxxx> wrote in message
news:eBfB5g6bGHA.3484@xxxxxxxxxxxxxxxxxxxxxxx

Our ADAM Instances our hosted on Windows 2003 member servers.

Application access our ADAM Instances using an Active Directory account.
The applications are using the LDAP protocol to access ADAM. The Active
Directory account has been added to the ADAM Application partition's
Administrators group.

The ADAM documentation indicates that the Simple Authentication Security
Layer (SASL) bind process is used, and that Windows authenticates the user
via the Windows Security API.

When the application routes the authentication request to ADAM, is the
user-id and password passed from the application to ADAM in plain text?

Does the Windows 2003 Server then pass it to the AD using Kerberos?

Thanks,
Milt

Follow-Ups:
- Re: ADAM & SASL Bind for Windows Security Principals
  - From: Milt

References:
- ADAM & SASL Bind for Windows Security Principals
  - From: Milt

Prev by Date: Re: Almost forgot ... Re: The Directory Service is currently unava
Next by Date: Re: Almost forgot ... Re: The Directory Service is currently unava
Previous by thread: ADAM & SASL Bind for Windows Security Principals
Next by thread: Re: ADAM & SASL Bind for Windows Security Principals
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM Authentication
... Your code will be different for authenticating users in ADAM vs. Active ... you need to use simple bind while with AD you ... If you just want to authenticate a user, you only need a bind operation. ... Joe Kaplan-MS MVP Directory Services Programming ...
(microsoft.public.windows.server.active_directory)
Re: Update schema in ADAM from aremote machine
... The easiest solution is to use secure bind and bind as a windows principal ... If you create an ADAM user in config partition, and add him to config admins ...
(microsoft.public.windows.server.active_directory)
Re: How Redirect ADAM to AD ?
... If you wish to authenticate your users in AD against ADAM using a simple ... LDAP bind, then a bind proxy is what you want to create. ... In order to be able to authenticate my users with their account AD I ...
(microsoft.public.windows.server.active_directory)
Re: Adam Sync Issue
... You need to use simple bind in LDP to authenticate an ADAM user. ...
(microsoft.public.windows.server.active_directory)
Re: ADAM Proxy Bind re-direction
... There are two features in ADAM that allow you to authenticate AD users: ... Bind proxy ... Windows user's credentials to authenticate an Windows ... There are two main reasons to use bind proxy: ...
(microsoft.public.windows.server.active_directory)