Re: Default Security for LDAP

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Charles,
Yes, the LDAP request containing the credentials is not encrypted. You
should use LDAPS if you want to encrypt it. You need a certificate on the DC
to do that.
The username and password will also be passed from the browser to the web
server in clear text unless you use SSL. For that, you need a certificate on
the web server. If you use Basic authentication, every request contains the
credentials so you need to SSL everything that requires authentication. If
you use a custom authentication you may be able to SSL just the
authentication exchange, which will reduce your overheads.
Hope that helps,
Anthony,
http://www.airdesk.co.uk




"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:89AE8EA8-F73E-4EDE-AC2C-2A549DBFCAEE@xxxxxxxxxxxxxxxx
Hi:

I have a group in my org that is using a web application that uses IIS.
Users in the domain will be accessing this site and access will be granted
depending on if they are able to enter credentials successfully (AD
credentials). Under the covers ldap will be used to contact AD to
validate
the credentials of the users.

My question is by default, are the credentials passed as clear text?
Interested in protecting the user's password when it gets entered by the
user
and it gets transmitted to the Web site. And interested in this user's
password when it gets sent from the website to AD via ldap to verify the
credentials.

Will ldap pass the password as clear text? And will the interactions
between the user and the website as far as the password be protected as
well.
Enabling SSL does this just encrypt the password traveling between the
users
workstation and the website and as it travels between the website and AD?

Thanks,
Charles


.

Relevant Pages

  • Re: check a user password
    ... ADAM user you'll have perform an LDAP Bind operation, ... However, as I said in another thread, LDAP is not an *authentication* protocol nor is "LDAP server" an authentication service. ... The LDAP bind operation is meant to "validate" the LDAP clients credentials in order, for the server, to be able to perform directory "authorization" checks. ... between a SQL client and a SQL server, or an authenticated session between a "Windows" client and a "File server" service. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Default Security for LDAP
    ... machine in this case) performs the LDAP operation. ... using Windows Negotiate authentication which uses Kerberos or NTLM and is ... secure by default in that plaintext credentials are not sent on the wire. ... you might consider implementing SSL on your DCs and asking these ...
    (microsoft.public.windows.server.active_directory)
  • Impersonating and Windows Authentication
    ... I'm having some trouble with LDAP and Active Directory on Win2k3 ... I use Windows Authentication and the code ... No credentials are sent together with LDAP string [new ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Default Security for LDAP
    ... machine in this case) performs the LDAP operation. ... using Windows Negotiate authentication which uses Kerberos or NTLM and is ... secure by default in that plaintext credentials are not sent on the wire. ... whether or not you really need SSL or some other transport layer ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authenticating LDAP connection with current windows users credentials?
    ... Much of the meat of ... setup and theory behind an ldap ... sys admins won't give me the username and password to store in the ... the credentials of the person running the job. ...
    (comp.lang.java.programmer)