Re: ADAM Proxy Bind re-direction - In reverse
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Jan 2007 21:05:38 -0600
It is a cool scenario you describe. The basic thing is that any application
that needs Kerberos or NTLM auth against AD will only use the passwords in
AD. That means pretty much anything related to Windows workstation
security. My guess is that you probably have some of that if you are using
AD in the first place, so you'll need the passwords in AD for those users.
There isn't really a way around it. ADAM definitely can't fit in that role.
In the context of web applications that want to do LDAP auth, you could
certainly point to ADAM and use that.
There are some other interesting integration scenarios you can do in the web
application space with federation products like ADFS. ADFS makes it
relatively easy to do SSO with web apps and support both AD and ADAM user
stores. You might end up taking a different approach of keeping the
"alumni" users in ADAM and the current users in AD and weaving the apps
together via federation. MIIS could still be in the provisioning mix.
Obviously, I don't have very many details about what you are trying to do,
so I'm not sure if any of this is really applicable on deeper examination,
but hopefully it gives you a few more useful ideas.
Another option might be to store passwords encrypted in a database. It is
really icky for a bunch of extremely valid security reasons, but sometimes
it makes sense and you can find reasonable ways to mitigate the risk.
Forcing people to reset passwords on major events might be something that
the decision makers can be talked into as well.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"GeoW" <lanman@xxxxxxxxxxx> wrote in message
news:1169067210.372623.171070@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Our goal is to use the ADAM directory as our master identity directory
and LDAP application authentication source. This directory is populated
by our HR system and will contain both the accounts of active faculty,
staff, and students who will also have matching active directory
accounts, and the accounts of former faculty, staff, and students who
no longer have A/D accounts but require access to some non-A/D
resources (which authenticate against ADAM). We will be using MIIS to
provision "active" accounts to A/D, and deprovision them when no longer
"active". Students and faculty come and go frequently as does their A/D
account. We don't want to retain all these accounts in A/D, only in
ADAM.
When a person goes from "former" to "active" status, a new A/D account
is created. Since there is no way to recover the password which they
have been using against ADAM and pass that along to A/D, I would like
to have treated A/D as just another application that authenticates
using credentials stored in the ADAM directory.
We have a password synchronization tool, but that only works when the
user resets their a password. We're hoping not to have to force these
folks to reset their password (before the scheduled expiration) just
because they've re-enrolled or been rehired.
George
Joe Kaplan wrote:
You can't. It doesn't work like that. :)
The closest thing you could come to approximating something like this
would
be to authenticate against ADAM via an LDAP bind and then use Kerberos
S4U
to do protocol transition to create a Windows logon token for the user.
S4U
is accessed programmatically via the LsaLogonUser API call or in .NET via
the WindowsIdentity constructor that takes the user's UPN.
Perhaps you are trying to do something like that? If not, please explain
your application in more detail.
Interestingly, this is one of the methods that ADFS uses to integrate web
applications that require Windows tokens with alternate identity stores
like
ADAM.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"GeoW" <lanman@xxxxxxxxxxx> wrote in message
news:1168975397.762689.153900@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Most are probably familiar with the ADAM Proxy Bind feature which
basically allows an ADAM user account to be authenticated against an
Active Directory password. I'd like to do exactly the reverse - I want
to authenticate Active Directory users against a password stored in our
ADAM directory.
Any idea how this might be accomplished?
George
.
- References:
- ADAM Proxy Bind re-direction - In reverse
- From: GeoW
- Re: ADAM Proxy Bind re-direction - In reverse
- From: Joe Kaplan
- Re: ADAM Proxy Bind re-direction - In reverse
- From: GeoW
- ADAM Proxy Bind re-direction - In reverse
- Prev by Date: Re: AD Problem with ACDSee
- Next by Date: Re: Using ldapsearch to find things in the active directory
- Previous by thread: Re: ADAM Proxy Bind re-direction - In reverse
- Next by thread: Re: ADAM Proxy Bind re-direction - In reverse
- Index(es):
Relevant Pages
|
