Re: ADAM Proxy Bind re-direction - In reverse
- From: "GeoW" <lanman@xxxxxxxxxxx>
- Date: 17 Jan 2007 12:53:30 -0800
Our goal is to use the ADAM directory as our master identity directory
and LDAP application authentication source. This directory is populated
by our HR system and will contain both the accounts of active faculty,
staff, and students who will also have matching active directory
accounts, and the accounts of former faculty, staff, and students who
no longer have A/D accounts but require access to some non-A/D
resources (which authenticate against ADAM). We will be using MIIS to
provision "active" accounts to A/D, and deprovision them when no longer
"active". Students and faculty come and go frequently as does their A/D
account. We don't want to retain all these accounts in A/D, only in
When a person goes from "former" to "active" status, a new A/D account
is created. Since there is no way to recover the password which they
have been using against ADAM and pass that along to A/D, I would like
to have treated A/D as just another application that authenticates
using credentials stored in the ADAM directory.
We have a password synchronization tool, but that only works when the
user resets their a password. We're hoping not to have to force these
folks to reset their password (before the scheduled expiration) just
because they've re-enrolled or been rehired.
Joe Kaplan wrote:
You can't. It doesn't work like that. :)
The closest thing you could come to approximating something like this would
be to authenticate against ADAM via an LDAP bind and then use Kerberos S4U
to do protocol transition to create a Windows logon token for the user. S4U
is accessed programmatically via the LsaLogonUser API call or in .NET via
the WindowsIdentity constructor that takes the user's UPN.
Perhaps you are trying to do something like that? If not, please explain
your application in more detail.
Interestingly, this is one of the methods that ADFS uses to integrate web
applications that require Windows tokens with alternate identity stores like
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"GeoW" <lanman@xxxxxxxxxxx> wrote in message
Most are probably familiar with the ADAM Proxy Bind feature which
basically allows an ADAM user account to be authenticated against an
Active Directory password. I'd like to do exactly the reverse - I want
to authenticate Active Directory users against a password stored in our
Any idea how this might be accomplished?
- Prev by Date: Re: Need Expert Opinions - VMware & Active Directory
- Next by Date: Re: Block all outside traffice when using RRAS
- Previous by thread: Re: ADAM Proxy Bind re-direction - In reverse
- Next by thread: Re: ADAM Proxy Bind re-direction - In reverse