Re: ADAM Authentication

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Aaron" <Aaron.Smith@xxxxxxxx>
• Date: 20 Jul 2006 13:16:08 -0700

---

The client app in question is the Windows Address Book. Part of
Microsoft Outlook Express. So...yeah...I do that right after I go wash
some dirt.

Joe Kaplan (MVP - ADSI) wrote:

That's what I was trying to suggest. This sounds like a bug in the client
app you are using. You might want to report this to whoever owns that piece
of code.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153401951.420758.128500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

But I'm not trying to authenticate as HOME\joebob. I'm providing the
username and password for CAMPUS\aaron and want ADAM to authenticate
THAT. It's Microsoft Outlook Express that is trying to send the
HOME\joebob credentials instead of the CAMPUS\aaron credentials that I
have configured for the LDAP account i the address book. Other LDAP
applications don't seem to have this problem. The ADAM ADSI editor
*and* ldp.exe will both connect and auth/bind from the HOME/joebob
computer using the CAMPUS\aaron credentials.

Dmitri Gavrilov [MSFT] wrote:

ADAM can only authenticate users that are trusted. It won't allow
HOME\joebob access its data because it does not know who HOME\joebob is.
It
is as good as anonymous, as far as ADAM is concerned. If some computer on
the internet authenticated joebob and is saying "this guy is really
authenticated. Oh, and he is a member of BUILTIN\admins too", it does not
mean ADAM should trust that computer to do a good job authenticating.

If HOME was a domain, then you could create a trust from CAMPUS to HOME,
and
then ADAM would be able to authenticate users from HOME. However, from
your
scenario, I don't think that is possible.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153339803.037160.225080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Ok. So I'm working on creating an Addressbook for domain users that
can be access remotely via LDAP. I've setup an ADAM instance and have
ported the user/mail information from our Active Directory domain into
this instance. If i'm using something like Windows Address Book
(wab.exe) from an account that is logged in to the domain, and bind to
ADAM using a windows domain security principal, then it works fine.
However, if I attempt to bind to the ADAM instance using that same
domain security principal while logged into an external machine that is
NOT a part of our domain (or part of a different domain) then the
authentication/bind fails. From looking at the packet traffic, it
appears to be attempting an authentication useing the credentials of
the logged in user. For Example:

Lets say my domain username is CAMPUS/aaron. If I'm logged in to my
workstation as CAMPUS/aaron and bind to ADAM using CAMPUS/aaron, it
works fine. However, if I go home, and log into HOME/joebob, and then
configure wab to bind to the ADAM server back at work using the
CAMPUS/aaron username and password, the authentication fails and I
would see an authentication attempt using HOME/joebob.

What do I need to do to allow my domain users to be able to
authenticate to the ADAM instance when they are NOT logged in to the
domain itself? Keep in mind that I do *not* wish to use anonymous
binding, users *must* authenticate before using the directory...

.

---

• Follow-Ups:
  • Re: ADAM Authentication
    • From: Dmitri Gavrilov [MSFT]

• References:
  • ADAM Authentication
    • From: Aaron
  • Re: ADAM Authentication
    • From: Dmitri Gavrilov [MSFT]
  • Re: ADAM Authentication
    • From: Aaron
  • Re: ADAM Authentication
    • From: Joe Kaplan \(MVP - ADSI\)

• Prev by Date: Re: make each domain user a local admin on his/her machine
• Next by Date: Re: AD 2k3 Password Policy inconsistancies
• Previous by thread: Re: ADAM Authentication
• Next by thread: Re: ADAM Authentication
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADAM for application user authentication ... On Apr 17, 10:45 am, "Joe Kaplan" ... that you can get a user's Windows groups membership by query ADAM as well. ... (microsoft.public.windows.server.active_directory) Re: ADAM & SASL Bind for Windows Security Principals ... There are really three bind authentication things you can do with ADAM: ... - Use simple bind to authenticate an ADAM user ... Use simple bind to authenticate Windows user who is configured as a bind ... (microsoft.public.windows.server.active_directory) Re: Security Logging in ADAM ... How does an anonymous login authenticate anyone? ... If a bind was performed against ADAM, there should be a matching audit event ... in the security event log on the ADAM machine assuming that logon events are ... (microsoft.public.windows.server.active_directory) Re: ADAM Authentication ... The ADAM ADSI editor ... then ADAM would be able to authenticate users from HOME. ... if I attempt to bind to the ADAM instance using that same ... Lets say my domain username is CAMPUS/aaron. ... (microsoft.public.windows.server.active_directory) Re: ADAM & SASL Bind for Windows Security Principals ... - Use simple bind to authenticate an ADAM user ... Use simple bind to authenticate Windows user who is configured as a bind ... proxy object in ADAM ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-08