Re: ADAM Authentication
- From: louis <louis@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Jun 2008 13:34:02 -0700
Joe -
1) I have no idea what all the alphabet soup means.
2) Only using ADAM for testing a proof-of-concept; customer will have Active
Directory (we do not)
3) I have tried every authentication type and left off this parameter
entirely - no luck
4) per your suggestions: we want to stick with .net 2.0 as other code is
using this
5) this is not a web app
6) why was this complex scheme developed with no easy (clear-cut) way to
authenticate users?
7) everything we try returns either "no such object on server" or "unknown
user or password"
thanks,
Louis
"Joe Kaplan" wrote:
In S.DS, AuthenticationTypes.Secure is equivalent to GSS-SPNEGO, so you.
can't use that for ADAM users. There is no explicit setting for simple
bind, but if you set one of the other flags and don't add the Secure flag,
that will change to simple bind.
Note that using S.DS for authentication may cause you scalability problems
in a high volume application as ADSI itself is not designed to work well in
this scenario and S.DS uses ADSI under the hood. If you need a scalable
solution, you should look at either the ValidateCredentials method on
PrincipalContext in .NET 3.5 or use the ActiveDirectoryMembershipProvider if
you are building a web app.
You can also write code in S.DS.P to handle this, although creating a
scalable solution with it is not trivial at all.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82996EA5-1D9F-4BA2-B3D7-D0528C0943C0@xxxxxxxxxxxxxxxx
Changing to simple bind seem to work (please see below).
Now, can you please help me translate that to the VB 2005 code below.
Thanks for taking your time helping everyone.
========= result ==================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, 'CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us',
<unavailable>); // v.3
Authenticated as: 'CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US'.
---
========= code snippet ================================
Dim strFilter As String = "(&(objectClass=user)(cn= Mary Baker))"
sUserName = "Mary Baker"
sPassWrd = "ABC123"
strgroupname = "ADAM users"
Try
domainEntry = New DirectoryEntry("LDAP://localhost:389/ou=ADAM
users,o=Microsoft,c=us")
domainEntry.AuthenticationType = AuthenticationTypes.FastBind '
AuthenticationTypes.Secure
domainEntry.Password = sPassWrd
domainEntry.Username = sUserName
' An example is "(&(objectClass=user)(lastName= Davis))".
Dim strSearch As String = strFilter
Dim dsSystem As New DirectorySearcher(domainEntry, strSearch)
' search subtree
dsSystem.SearchScope = SearchScope.Subtree
' find user data
Dim srSystem As SearchResult = dsSystem.FindOne()
' group
Dim valcol As ResultPropertyValueCollection =
srSystem.Properties("memberof")
If valcol.Count > 0 Then
Dim o As Object
For Each o In valcol
' check if user in group
If o.ToString().Equals((strgroupname + "," +
strbasedn))
Then
blngroupuser = True
Exit For
End If
Next ' o
End If
If blngroupuser = True Then
MessageBox.Show("login sucessfull")
Else
MessageBox.Show("user not in this group")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
=============================================
"Joe Kaplan" wrote:
ADAM users must be authenticated with either Simple bind or Digest auth.
You are using SASL bind with SPNEGO which only authenticates Windows
users
via pass through authentication.
In LDP, change to simple bind and try again. Also, make sure the ADAM
user
is enabled as well as having a password set.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:810A83BC-B59F-4F42-AF00-A971175052BC@xxxxxxxxxxxxxxxx
I have setup ADAM using the "Mary Baker" examples in the guide, used the
dsmgt to change the security, set a password of "ABC123", turned the
security
back on using dsmgt. I cannot get any of several test routines to
authenticate, also will not authenticate using the "LDP" utility.
Output
here:
=================================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='CN=Mary Baker,ou=ADAM users,o=Microsoft,c=us';
Pwd=
<unavailable>; domain = 'LouisXP'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, va28
Error 0x8009030C The logon attempt failed
-----------
I have changed the user to enabled (as documented in several posts).
This
is all running on the same XP PRO sp2 machine.
Any help appreciated. Thanks.
- Follow-Ups:
- Re: ADAM Authentication
- From: Joe Kaplan
- Re: ADAM Authentication
- References:
- Re: ADAM Authentication
- From: Joe Kaplan
- Re: ADAM Authentication
- From: louis
- Re: ADAM Authentication
- From: Joe Kaplan
- Re: ADAM Authentication
- Prev by Date: RE: use offline files over slow link access denied to server
- Next by Date: Re: Active directory rename
- Previous by thread: Re: ADAM Authentication
- Next by thread: Re: ADAM Authentication
- Index(es):
Relevant Pages
|
