Re: ADAM and Windows Address Book

Thanks for the explainer, Lee. That makes a lot more sense. It sounds like
there is a UI bug, as they should probably grey out the credentials when
checking SPA if they aren't going to use them. I wish they wouldn't even
use the word "SPA", as that isn't an LDAP term and doesn't tell you what it
is actually going to do.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:uLWDNH11GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
Hi

I tried a repro. of this and found that if SPA is checked then there is an
SSPI logon using the credentials of the logged on account.

It seems the username/password pair is only used if SPA is not checked.
With SPA not checked then there is an LDAP simple bind to the directory
server
so in the case of binding to ADAM the account would need to be a native
ADAM user. Checking SSL results in an LDAP simple bind over SSL.

Lee Flight


"Rich Raffenetti" <raffenetti@xxxxxxxxxxx> wrote in message
news:%23SJmFoh1GHA.4300@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for your response. I have added responses to your questions in
the thread below. I hope my answers will help to resolve the situation.

"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23JYAcrV1GHA.1568@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, I remember something came up with WAB.
Questions:
Which port is your WAB configured to talk to: LDAP or SSL?

I have tried both. They both fail for authenticated access. For SSL I
have a commercial Entrust certificate. (Note that LDP works with either
389 or 636.) We are interested in using SSL and having authenticated
access.

Are you trying to bind with Windows credentials or ADAM user
credentials?

Windows credentials.

Is "logon using secure password authentication" checkbox on or off?

Most testing with SPA checked. See below for detailed results.

When connecting from domain-joined workstation -- please try to logon as
a local admin (non-domain user), and check if it still works.

I've tried from a local admin account on the ADAM server. The event log
shows a failed attempt with the local credentials even though Windows
domain credentials were configured into the WAB. Without the SPA
checked, the message is "The specified directory service has denied
access. Check the properties for this directory service and verify that
your Authentication Type settings and parameters are correct." When I
checked the box for SPA, the message changed to "There are no entries in
the directory that match your search criteria." I check with LDP and the
elements I am searching for are there.

I changed to an administrator account in the domain on the ADAM server
and the same searches obtain the following results. With SPA checked,
the searches succeed. Without SPA checked, the message "The specified
directory..." reappears. This is with both port 389 and 636.


--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Rich Raffenetti" <raffenetti@xxxxxxxxxxx> wrote in message
news:eGVZUP00GHA.2636@xxxxxxxxxxxxxxxxxxxxxxx
I have implemented a domain-based ADAM and have the following problem
accessing it from Windows Address Book in only certain circumstances. I
am doing all of these tests with SSL (port 636). The SSL cert is from a
commercial CA (Entrust) and the root certificate is found in all Windows
systems - as long as they update Root Certificates.

WAB accesses ADAM from a client XP Pro workstation in the domain just
fine.

However, WAB does NOT access the same ADAM from a client XP Pro
workstation that is not in the domain.

LDP connects and binds to the same ADAM fine from the same
workstations, whether or not the XP Pro client workstation is in the
domain. The LDP experiments were also with SSL to port 636.

I found a thread on this issue from May 2006. There was no solution
nor was there any confirmation of this problem. I find the same
behavior as was reported then.

I get the same result when I use port 389 (no SSL).

This seems to be a WAB issue. Any ideas?









.

Relevant Pages

  • Re: ADAM and Windows Address Book
    ... SSPI logon using the credentials of the logged on account. ... It seems the username/password pair is only used if SPA is not checked. ... ADAM user. ... Checking SSL results in an LDAP simple bind over SSL. ...
    (microsoft.public.windows.server.active_directory)
  • Re: HTTP Network Programming Issue
    ... which requires Cookie, Authentication and SSL at the same time, while going ... through a proxy that also requires authentication. ... You should set credentials on the HttpWebRequest as ... I think the site may use cookies, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Emails being delivered to wrong users mailbox via POP3 / Exch
    ... Yep, using SPA! ... >> into using OWA but they didn't want to hear it. ... > What version of Outlook do you have? ... > causes it to use credentials obtained from Windows rather than those that ...
    (microsoft.public.outlook)
  • Re: Mixed Mode Authentication in .net 2.0
    ... SSL does not require a client certificate. ... This is important to prevent the user's credentials (either plaintext ... Good luck with ADFS. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using SSL
    ... > I am building an intranet application which will work with ... > read in a Microsoft article that SSL should be used on all ... > credentials in the cookie created by forms authentication. ... > Is there any way to protect the credentials but not have ...
    (microsoft.public.inetserver.iis.security)
Loading