Re: ADAM Authentication

Did you check "Use Secure Password Authentication" checkbox? Without it, WAB
will attempt to do a simple ldap bind.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153426568.695381.255790@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The client app in question is the Windows Address Book. Part of
Microsoft Outlook Express. So...yeah...I do that right after I go wash
some dirt.

Joe Kaplan (MVP - ADSI) wrote:
That's what I was trying to suggest. This sounds like a bug in the
client
app you are using. You might want to report this to whoever owns that
piece
of code.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153401951.420758.128500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
But I'm not trying to authenticate as HOME\joebob. I'm providing the
username and password for CAMPUS\aaron and want ADAM to authenticate
THAT. It's Microsoft Outlook Express that is trying to send the
HOME\joebob credentials instead of the CAMPUS\aaron credentials that I
have configured for the LDAP account i the address book. Other LDAP
applications don't seem to have this problem. The ADAM ADSI editor
*and* ldp.exe will both connect and auth/bind from the HOME/joebob
computer using the CAMPUS\aaron credentials.

Dmitri Gavrilov [MSFT] wrote:
ADAM can only authenticate users that are trusted. It won't allow
HOME\joebob access its data because it does not know who HOME\joebob
is.
It
is as good as anonymous, as far as ADAM is concerned. If some computer
on
the internet authenticated joebob and is saying "this guy is really
authenticated. Oh, and he is a member of BUILTIN\admins too", it does
not
mean ADAM should trust that computer to do a good job authenticating.

If HOME was a domain, then you could create a trust from CAMPUS to
HOME,
and
then ADAM would be able to authenticate users from HOME. However, from
your
scenario, I don't think that is possible.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153339803.037160.225080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok. So I'm working on creating an Addressbook for domain users that
can be access remotely via LDAP. I've setup an ADAM instance and
have
ported the user/mail information from our Active Directory domain
into
this instance. If i'm using something like Windows Address Book
(wab.exe) from an account that is logged in to the domain, and bind
to
ADAM using a windows domain security principal, then it works fine.
However, if I attempt to bind to the ADAM instance using that same
domain security principal while logged into an external machine that
is
NOT a part of our domain (or part of a different domain) then the
authentication/bind fails. From looking at the packet traffic, it
appears to be attempting an authentication useing the credentials of
the logged in user. For Example:

Lets say my domain username is CAMPUS/aaron. If I'm logged in to my
workstation as CAMPUS/aaron and bind to ADAM using CAMPUS/aaron, it
works fine. However, if I go home, and log into HOME/joebob, and
then
configure wab to bind to the ADAM server back at work using the
CAMPUS/aaron username and password, the authentication fails and I
would see an authentication attempt using HOME/joebob.

What do I need to do to allow my domain users to be able to
authenticate to the ADAM instance when they are NOT logged in to the
domain itself? Keep in mind that I do *not* wish to use anonymous
binding, users *must* authenticate before using the directory...





.

Relevant Pages

  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... You won't be able to do a proxy bind if you don't have the ... This will work only if ADAM ... >>> being authenticated (as in windows authentication or ... >> of the bind proxy object in the ADAM naming context and the Windows ...
    (microsoft.public.windows.server.active_directory)
  • adam bind-redirect
    ... Our Adam will have a user store where we put custom user attributes. ... We an internal Active Directory. ... They have there own SSO solution thats similar to forms authentication. ... The advantage is see by doing a bind redirect is that the user automatically ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... could benefit from bind redirect/User Proxy Object ... The store for Azman will also be an ADAM. ... > They have there own SSO solution thats similar to forms authentication. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... to the Readers role for an ADAM NC and it worked fine for binding ADAM ... In this thread the original poster is using bind proxies so it might be ... Readers role, he could add the Users role to the Readers role which would ... > Could he also just bind to RootDSE in order to force an authentication? ...
    (microsoft.public.windows.server.active_directory)