Re: General questions about LDAP, GC and access permissions

I was wrong about the LOCAL SYSTEM account. As Joe pointed out, it uses the
credentials of the local computer object, which has permissions to read
attributes in AD. See this link:

http://msdn2.microsoft.com/en-us/library/ms684190.aspx

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:OMCGLywwHHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Some comments inline below:

"UncleRedz" <UncleRedz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6E64CAD5-4C7E-4412-BF5A-77798E1BCD4D@xxxxxxxxxxxxxxxx
Hi,

I'm a .NET C# developer so I haven't had the opportunity to get my hands
dirty in the details of how AD actully works, but now that I have to make
a
service communicate with AD, I need to figure some things out...
resulting in
a number of newbie questions.

The scenario is this, our service will likely be running as "LOCAL
SYSTEM",
on a machine that is part of a domain. When a user access the service
(using
Windows Communication Foundation) they are authenticated with the regular
windows authentication. The service then needs to lookup what permisions
this
user have, this is done by examing what groups the user is a member of.

Since the regular windows authentication is used, I know that the user
accessing the service is a valid user, either a local machine user, a
domain
user or a user from a trusted domain. If invalid username, password or
domain
were used, the windows authentication would prevent the user from
accessing
the service.


This results in a number of questions,

1. Can anyone access the Active Directory? Or must the accessing user be
a
member of the domain?

You must query AD with valid domain credentials.

2. Is the "LOCAL SYSTEM" user a part of the domain or only a local user?
(Related to question 1.)

LOCAL SYSTEM is authenticated to the local computer, but not to the
domain.

3. Should I use LDAP or GC (Global Catalog)? (Provided that the GC
entries
contains the required information.)

GC would be best if there could be more than one domain.

4. Is LDAP and/or GC something that may or may not be enabled in Active
Directory?

If there is Active Directory, there must be at least one GC. You could use
either the LDAP or GC providers (monikers).

5. How do I deal with trusted domains? Will using GC instead of LDAP
solve
this?

Using the GC would make it much simpler if there is more than one domain.

6. If the local machine is running in domain X and the user is from the
trusted domain Y, should I still use the X domain when constructing the
LDAP/GC query? Or should I use the Y domain instead?

I assume you will get credentials from the user. If so, they will be for
the user's domain. I assume your application will by default use the
credentials the user used to authenticate. Or, you could prompt for
credentials.

7. How do I determine what domains exists? Do I even need to know this?
Or
is it enough to know the domain the machine is a part of? (And then use
GC?)

The RootDSE object can be used to retrieve the default naming context,
which is the DNS name of the domain you are authenticated to. It can also
be used to enumerate all naming contexts, which would include trusted
domains. In VBScript:
=========
Set objRootDSE = GetObject("LDAP://RootDSE";)
Wscript.Echo "Default Naming Context: " &
objRootDSE.Get("defaultNamingContext")
Wscript.Echo "Root Domain Naming Context: " &
objRootDSE.Get("rootDomainNamingContext")
For Each strContext In objRootDSE.Get("NamingContexts")
Wscript.Echo "Naming Context: " & strContext
Next
==========

8. Does any of these questions make any sense in this scenario? Am I
missing
something?

I would be thankfull for any information that can answer these questions.

Cheers,
UncleRedz

Others may have more information and comments.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--




.

Relevant Pages

  • Re: General questions about LDAP, GC and access permissions
    ... Since the regular windows authentication is used, ... You must query AD with valid domain credentials. ... trusted domain Y, should I still use the X domain when constructing the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logout from windows authentication??
    ... I came across this in a forum, so I guess it's in the windows authentication ... The user credentials are being cached by the client browser, ... server (either via a login dialog or automatic submission under IE ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.security)