Re: ADAM Authentication

Your code will be different for authenticating users in ADAM vs. Active
Directory because with ADAM, you need to use simple bind while with AD you
should use Secure (SASL) bind. AD supports using simple bind, but you
should not build a product that uses that since it is insecure.

If you just want to authenticate a user, you only need a bind operation.
There is no need to do a search. If scalability is not an issue, then you
can safely use S.DS for this although S.DS.Protocols is still a good option
(given that you can use .NET 2.0). S.DS.P has an explicit Bind method which
makes it more clear what you are doing.

Something like this might be a blueprint for you to start with:
Dim con as New LdapConnection("localhost")
con.Credential = new NetworkCredential("user", "password")
con.AuthType = AuthType.Basic
Try
con.Bind()
'worked
Catch ex As Exception
'Failed; check to make sure you got the correct error code and not a
different problem...
End Try

The keys to this are supplying the identifier to use for the directory to
connect to, supplying the right auth type for the directory and supplying
the right username format for the directory and authtype being used.

Another option that might be easier would be to P/Invoke the LogonUser API.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D13EA3EB-E2CD-4BEB-89F1-22CE4256588A@xxxxxxxxxxxxxxxx
Joe -
1) I have no idea what all the alphabet soup means.
2) Only using ADAM for testing a proof-of-concept; customer will have
Active
Directory (we do not)
3) I have tried every authentication type and left off this parameter
entirely - no luck
4) per your suggestions: we want to stick with .net 2.0 as other code is
using this
5) this is not a web app
6) why was this complex scheme developed with no easy (clear-cut) way to
authenticate users?
7) everything we try returns either "no such object on server" or "unknown
user or password"

thanks,
Louis


"Joe Kaplan" wrote:

In S.DS, AuthenticationTypes.Secure is equivalent to GSS-SPNEGO, so you
can't use that for ADAM users. There is no explicit setting for simple
bind, but if you set one of the other flags and don't add the Secure
flag,
that will change to simple bind.

Note that using S.DS for authentication may cause you scalability
problems
in a high volume application as ADSI itself is not designed to work well
in
this scenario and S.DS uses ADSI under the hood. If you need a scalable
solution, you should look at either the ValidateCredentials method on
PrincipalContext in .NET 3.5 or use the ActiveDirectoryMembershipProvider
if
you are building a web app.

You can also write code in S.DS.P to handle this, although creating a
scalable solution with it is not trivial at all.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82996EA5-1D9F-4BA2-B3D7-D0528C0943C0@xxxxxxxxxxxxxxxx
Changing to simple bind seem to work (please see below).
Now, can you please help me translate that to the VB 2005 code below.
Thanks for taking your time helping everyone.
========= result ==================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, 'CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us',
<unavailable>); // v.3
Authenticated as: 'CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US'.
---
========= code snippet ================================
Dim strFilter As String = "(&(objectClass=user)(cn= Mary Baker))"
sUserName = "Mary Baker"
sPassWrd = "ABC123"
strgroupname = "ADAM users"

Try
domainEntry = New
DirectoryEntry("LDAP://localhost:389/ou=ADAM
users,o=Microsoft,c=us")
domainEntry.AuthenticationType =
AuthenticationTypes.FastBind '
AuthenticationTypes.Secure
domainEntry.Password = sPassWrd
domainEntry.Username = sUserName
' An example is "(&(objectClass=user)(lastName= Davis))".

Dim strSearch As String = strFilter
Dim dsSystem As New DirectorySearcher(domainEntry,
strSearch)
' search subtree
dsSystem.SearchScope = SearchScope.Subtree
' find user data
Dim srSystem As SearchResult = dsSystem.FindOne()
' group
Dim valcol As ResultPropertyValueCollection =
srSystem.Properties("memberof")
If valcol.Count > 0 Then
Dim o As Object
For Each o In valcol
' check if user in group
If o.ToString().Equals((strgroupname + "," +
strbasedn))
Then
blngroupuser = True
Exit For

End If
Next ' o
End If
If blngroupuser = True Then
MessageBox.Show("login sucessfull")
Else
MessageBox.Show("user not in this group")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
=============================================
"Joe Kaplan" wrote:

ADAM users must be authenticated with either Simple bind or Digest
auth.
You are using SASL bind with SPNEGO which only authenticates Windows
users
via pass through authentication.

In LDP, change to simple bind and try again. Also, make sure the ADAM
user
is enabled as well as having a password set.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:810A83BC-B59F-4F42-AF00-A971175052BC@xxxxxxxxxxxxxxxx
I have setup ADAM using the "Mary Baker" examples in the guide, used
the
dsmgt to change the security, set a password of "ABC123", turned the
security
back on using dsmgt. I cannot get any of several test routines to
authenticate, also will not authenticate using the "LDP" utility.
Output
here:
=================================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); //
v.3
{NtAuthIdentity: User='CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us';
Pwd=
<unavailable>; domain = 'LouisXP'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, va28
Error 0x8009030C The logon attempt failed
-----------
I have changed the user to enabled (as documented in several posts).
This
is all running on the same XP PRO sp2 machine.
Any help appreciated. Thanks.








.

Relevant Pages

  • Re: ADAM & SASL Bind for Windows Security Principals
    ... There are really three bind authentication things you can do with ADAM: ... - Use simple bind to authenticate an ADAM user ... Use simple bind to authenticate Windows user who is configured as a bind ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Redirect ADAM to AD ?
    ... If you wish to authenticate your users in AD against ADAM using a simple ... LDAP bind, then a bind proxy is what you want to create. ... In order to be able to authenticate my users with their account AD I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adam Sync Issue
    ... You need to use simple bind in LDP to authenticate an ADAM user. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Proxy Bind re-direction
    ... There are two features in ADAM that allow you to authenticate AD users: ... Bind proxy ... Windows user's credentials to authenticate an Windows ... There are two main reasons to use bind proxy: ...
    (microsoft.public.windows.server.active_directory)
  • Re: How Redirect ADAM to AD ?
    ... To use a simple bind, you must create bind proxy objects in ADAM for your AD ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... LDAP bind, then a bind proxy is what you want to create. ...
    (microsoft.public.windows.server.active_directory)