Re: ADAM & SASL Bind for Windows Security Principals

From: "Milt" <mlbiii@xxxxxxx>
Date: Fri, 5 May 2006 22:26:53 -0500

Thanks Joe.

I don't have access to the sniffer you mentioned, but did look with Netmon
and filtered on LDAP.

This helps.

Milt

-------
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%234kEE1$bGHA.2404@xxxxxxxxxxxxxxxxxxxxxxx

There are really three bind authentication things you can do with ADAM:
- Use simple bind to authenticate an ADAM user
- Use SASL bind with GSS-SPNEGO to authenticate Windows user (domain or
local machine)
- Use simple bind to authenticate Windows user who is configured as a bind
proxy object in ADAM

Simple bind always passes a plain text password on the network. It is not
secure unless you add some transport security like SSL/LDAP.

SASL bind does not pass a plain text credential. With SPNEGO, the Windows
negotiate protocol is used. If Kerberos is selected, the LDAP client
actually contacts the KDC to authenticate and get a ticket to access the
server. If NTLM is used, then the standard NTLM challenge response thing
is done.

If you are every curious about what's happening, watch the traffic with a
packet sniffer like ethereal. It makes it all very clear.

Joe K.

"Milt" <mlbiii@xxxxxxx> wrote in message
news:eBfB5g6bGHA.3484@xxxxxxxxxxxxxxxxxxxxxxx

Our ADAM Instances our hosted on Windows 2003 member servers.

Application access our ADAM Instances using an Active Directory account.
The applications are using the LDAP protocol to access ADAM. The Active
Directory account has been added to the ADAM Application partition's
Administrators group.

The ADAM documentation indicates that the Simple Authentication Security
Layer (SASL) bind process is used, and that Windows authenticates the
user via the Windows Security API.

When the application routes the authentication request to ADAM, is the
user-id and password passed from the application to ADAM in plain text?

Does the Windows 2003 Server then pass it to the AD using Kerberos?

Thanks,
Milt

References:
- ADAM & SASL Bind for Windows Security Principals
  - From: Milt
- Re: ADAM & SASL Bind for Windows Security Principals
  - From: Joe Kaplan $MVP - ADSI$

Prev by Date: Re: ADAM access fails when authenticating w/ credentials from user within ADAM
Next by Date: Re: Undo Group policy before shutdown
Previous by thread: Re: ADAM & SASL Bind for Windows Security Principals
Next by thread: how do i query trustee rights assigned to a user?
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM Authentication
... Your code will be different for authenticating users in ADAM vs. Active ... you need to use simple bind while with AD you ... If you just want to authenticate a user, you only need a bind operation. ... Joe Kaplan-MS MVP Directory Services Programming ...
(microsoft.public.windows.server.active_directory)
Re: Update schema in ADAM from aremote machine
... The easiest solution is to use secure bind and bind as a windows principal ... If you create an ADAM user in config partition, and add him to config admins ...
(microsoft.public.windows.server.active_directory)
Re: ADAM & SASL Bind for Windows Security Principals
... There are really three bind authentication things you can do with ADAM: ... - Use simple bind to authenticate an ADAM user ... Use simple bind to authenticate Windows user who is configured as a bind ...
(microsoft.public.windows.server.active_directory)
Re: How Redirect ADAM to AD ?
... If you wish to authenticate your users in AD against ADAM using a simple ... LDAP bind, then a bind proxy is what you want to create. ... In order to be able to authenticate my users with their account AD I ...
(microsoft.public.windows.server.active_directory)
Re: Adam Sync Issue
... You need to use simple bind in LDP to authenticate an ADAM user. ...
(microsoft.public.windows.server.active_directory)