Re: ADAM Authentication

ADAM can only authenticate users that are trusted. It won't allow
HOME\joebob access its data because it does not know who HOME\joebob is. It
is as good as anonymous, as far as ADAM is concerned. If some computer on
the internet authenticated joebob and is saying "this guy is really
authenticated. Oh, and he is a member of BUILTIN\admins too", it does not
mean ADAM should trust that computer to do a good job authenticating.

If HOME was a domain, then you could create a trust from CAMPUS to HOME, and
then ADAM would be able to authenticate users from HOME. However, from your
scenario, I don't think that is possible.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron.Smith@xxxxxxxx> wrote in message
news:1153339803.037160.225080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok. So I'm working on creating an Addressbook for domain users that
can be access remotely via LDAP. I've setup an ADAM instance and have
ported the user/mail information from our Active Directory domain into
this instance. If i'm using something like Windows Address Book
(wab.exe) from an account that is logged in to the domain, and bind to
ADAM using a windows domain security principal, then it works fine.
However, if I attempt to bind to the ADAM instance using that same
domain security principal while logged into an external machine that is
NOT a part of our domain (or part of a different domain) then the
authentication/bind fails. From looking at the packet traffic, it
appears to be attempting an authentication useing the credentials of
the logged in user. For Example:

Lets say my domain username is CAMPUS/aaron. If I'm logged in to my
workstation as CAMPUS/aaron and bind to ADAM using CAMPUS/aaron, it
works fine. However, if I go home, and log into HOME/joebob, and then
configure wab to bind to the ADAM server back at work using the
CAMPUS/aaron username and password, the authentication fails and I
would see an authentication attempt using HOME/joebob.

What do I need to do to allow my domain users to be able to
authenticate to the ADAM instance when they are NOT logged in to the
domain itself? Keep in mind that I do *not* wish to use anonymous
binding, users *must* authenticate before using the directory...



.

Relevant Pages

  • Re: ADAM Authentication
    ... Your code will be different for authenticating users in ADAM vs. Active ... you need to use simple bind while with AD you ... If you just want to authenticate a user, you only need a bind operation. ... Joe Kaplan-MS MVP Directory Services Programming ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM & SASL Bind for Windows Security Principals
    ... There are really three bind authentication things you can do with ADAM: ... - Use simple bind to authenticate an ADAM user ... Use simple bind to authenticate Windows user who is configured as a bind ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Redirect ADAM to AD ?
    ... If you wish to authenticate your users in AD against ADAM using a simple ... LDAP bind, then a bind proxy is what you want to create. ... In order to be able to authenticate my users with their account AD I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adam Sync Issue
    ... You need to use simple bind in LDP to authenticate an ADAM user. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Proxy Bind re-direction
    ... There are two features in ADAM that allow you to authenticate AD users: ... Bind proxy ... Windows user's credentials to authenticate an Windows ... There are two main reasons to use bind proxy: ...
    (microsoft.public.windows.server.active_directory)
Loading