Re: Oh.... I'm just wondering who's seen this stumper...

Intriguing. I wonder what the original problem was?




"Joe_SMS" <jw_nagy@xxxxxxxxxxx> wrote in message
news:1154130352.549253.76210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Okay.... something to add. We found out that his code was deleting the
attribute value before writing to it. Some attributes, we don't sync
to testing domain.

Failure audits were coming on attributes that had NULL values in AD.
Instead of running his code, we had him test the process with ldifde
and then we found out. When we were testing with the account he's
using, we were wrting values and deleting existing values with no
problem. Never bothered trying deleting NOTHING.

Question, he claims there wasn't a problem when "write all properties"
was set on the user objects. All that was done different permission
wise was that samaccountname and upn were "unchecked", which of course,
led to "write all properties" being unchecked.

Would something give him the ability to clear a NULL with "write all
properties". I almost believe him....but he's been wrong too many
times. Who deletes nothing ? Thats why I see nothing posted out there
I guess. Hope this narrows it...

Who's got that nugget ?




Joe, I appreciate your help immensely. I'm enterprise admin of 40,000
seats. My email address jnat514@xxxxxxxxxx I don't wanna get into a
thing about your products here with your MS MVP hat on.







Joe Richards [MVP] wrote:
There won't be a requirement to auth with say the UPN as any of the
credential mechanisms will result in the same token, however, if say for
instance the userid is specified with a blank password they would be
authenticated as anonymous.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Ace Fekay [MVP] wrote:
In news:eKrq18esGHA.4784@xxxxxxxxxxxxxxxxxxxx,
Joe Richards [MVP] <humorexpress@xxxxxxxxxxx> stated, which I commented
on
below:
Oh, to add on, using LDAP to update attributes works in a delegated
manner, I have seen it in hundreds of production forests and thousands
of test forests. If delegating specific attributes to a user and that
user can't write them then they

a. Aren't authenticating properly
b. Aren't using LDAP properly
c. Aren't just updating those attributes or are updating those
attibutes incorrectly.

Joe,

I was following this thread and initially I thought to ask how
authentication is written in the script. Now you mentioned A above, I
wonder
if it matters, especially in a multi-domain forest, or the fact that
LDAP
requires it, to authenticate using the UPN (username@xxxxxxxxxx)
instead of
an NTLM method (domain\user)? I think if it were the domain admin that
cached credentials are used, but any other account would require
specific
authentication? Am I off base?





.

Relevant Pages

  • Re: Oh.... Im just wondering whos seen this stumper...
    ... We found out that his code was deleting the ... to testing domain. ... thing about your products here with your MS MVP hat on. ... authentication is written in the script. ...
    (microsoft.public.windows.server.active_directory)
  • IAS forwarding / Multi-Forest / CA Requirement - trusted authority in PEAP properties
    ... Setup for 802.1x machine only authentication. ... "Protected PEAP" ... IAS is setup to forward requests to other domain if a computer ... Forwarding is working great between forests. ...
    (microsoft.public.internet.radius)
  • NTLM Authentication Across Forests
    ... Considering that the domains are in separate forests and that Kerberos ... authentication does not work across forests via external trust, ... since both .html and .aspx files reside on the same web server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Oh.... Im just wondering whos seen this stumper...
    ... I have seen it in hundreds of production forests and thousands ... authentication is written in the script. ... Microsoft MVP - Directory Services ... Instead of the website you're using, I suggest to use OEx (Outlook Express ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTLM Authentication Across Forests
    ... > contains a website which in turn contains two files TestAccess.html ... > Considering that the domains are in separate forests and that Kerberos ... > authentication does not work across forests via external trust, ...
    (microsoft.public.dotnet.framework.aspnet.security)