Re: ADAM Authentication

In S.DS, AuthenticationTypes.Secure is equivalent to GSS-SPNEGO, so you
can't use that for ADAM users. There is no explicit setting for simple
bind, but if you set one of the other flags and don't add the Secure flag,
that will change to simple bind.

Note that using S.DS for authentication may cause you scalability problems
in a high volume application as ADSI itself is not designed to work well in
this scenario and S.DS uses ADSI under the hood. If you need a scalable
solution, you should look at either the ValidateCredentials method on
PrincipalContext in .NET 3.5 or use the ActiveDirectoryMembershipProvider if
you are building a web app.

You can also write code in S.DS.P to handle this, although creating a
scalable solution with it is not trivial at all.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82996EA5-1D9F-4BA2-B3D7-D0528C0943C0@xxxxxxxxxxxxxxxx
Changing to simple bind seem to work (please see below).
Now, can you please help me translate that to the VB 2005 code below.
Thanks for taking your time helping everyone.
========= result ==================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, 'CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us',
<unavailable>); // v.3
Authenticated as: 'CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US'.
---
========= code snippet ================================
Dim strFilter As String = "(&(objectClass=user)(cn= Mary Baker))"
sUserName = "Mary Baker"
sPassWrd = "ABC123"
strgroupname = "ADAM users"

Try
domainEntry = New DirectoryEntry("LDAP://localhost:389/ou=ADAM
users,o=Microsoft,c=us")
domainEntry.AuthenticationType = AuthenticationTypes.FastBind '
AuthenticationTypes.Secure
domainEntry.Password = sPassWrd
domainEntry.Username = sUserName
' An example is "(&(objectClass=user)(lastName= Davis))".

Dim strSearch As String = strFilter
Dim dsSystem As New DirectorySearcher(domainEntry, strSearch)
' search subtree
dsSystem.SearchScope = SearchScope.Subtree
' find user data
Dim srSystem As SearchResult = dsSystem.FindOne()
' group
Dim valcol As ResultPropertyValueCollection =
srSystem.Properties("memberof")
If valcol.Count > 0 Then
Dim o As Object
For Each o In valcol
' check if user in group
If o.ToString().Equals((strgroupname + "," +
strbasedn))
Then
blngroupuser = True
Exit For

End If
Next ' o
End If
If blngroupuser = True Then
MessageBox.Show("login sucessfull")
Else
MessageBox.Show("user not in this group")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
=============================================
"Joe Kaplan" wrote:

ADAM users must be authenticated with either Simple bind or Digest auth.
You are using SASL bind with SPNEGO which only authenticates Windows
users
via pass through authentication.

In LDP, change to simple bind and try again. Also, make sure the ADAM
user
is enabled as well as having a password set.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:810A83BC-B59F-4F42-AF00-A971175052BC@xxxxxxxxxxxxxxxx
I have setup ADAM using the "Mary Baker" examples in the guide, used the
dsmgt to change the security, set a password of "ABC123", turned the
security
back on using dsmgt. I cannot get any of several test routines to
authenticate, also will not authenticate using the "LDP" utility.
Output
here:
=================================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='CN=Mary Baker,ou=ADAM users,o=Microsoft,c=us';
Pwd=
<unavailable>; domain = 'LouisXP'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, va28
Error 0x8009030C The logon attempt failed
-----------
I have changed the user to enabled (as documented in several posts).
This
is all running on the same XP PRO sp2 machine.
Any help appreciated. Thanks.





.

Relevant Pages

  • Re: LDAP Authentication for Single Sign On
    ... So no authentication is required when performing bind operations only ... If I do find that I have to create a service account can you steer me ... If the client doesn't support anything other than a simple ... That isn't really necessarily part of the authentication though. ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDIFDE Error when trying to change passwords.
    ... The SASL bind (with -b and specific credentials) is only needed if you don't ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... to the Readers role for an ADAM NC and it worked fine for binding ADAM ... In this thread the original poster is using bind proxies so it might be ... Readers role, he could add the Users role to the Readers role which would ... > Could he also just bind to RootDSE in order to force an authentication? ...
    (microsoft.public.windows.server.active_directory)