Re: ADAM Authentication

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Michael Ströder <michael@xxxxxxxxxxxx>
• Date: Fri, 06 Jun 2008 08:39:24 +0200

---

Joe Kaplan wrote:

Your code will be different for authenticating users in ADAM vs. Active Directory

Yes, I'd also recommend not to test only with ADAM if your aim is to support LDAPv3 with AD.

because with ADAM, you need to use simple bind while with AD you should use Secure (SASL) bind. AD supports using simple bind, but you should not build a product that uses that since it is insecure.

Yes, with simple bind the password is transmitted in clear. But you can make it secure by using an encrypted communication channel with SSL (LDAPS).

With some SASL mechanisms the password is not transmitted in clear. Let's look at the most usable mechanisms:

DIGEST-MD5: challenge-response protocol, client and server have the password in clear, only hashes are transmitted.

GSSAPI: The client authenticates with Kerberos V. This requires the client to already have obtained a Kerberos Ticket Granting Ticket.

NTLMv1: Not recommended anymore for security reasons.

If implementing a Win32-based LDAPv3 client running on a workstation within a AD domain I'd recommend to also support SASL/GSSAPI since you can use Kerberos as SSO mechanism.

Understanding all this is not easy though. But I always recommend to fully understand login mechs if implementing a client.

If you just want to authenticate a user, you only need a bind operation. There is no need to do a search.

Well, not entirely true if developers want to be strictly LDAPv3 compliant. LDAPv3 standard does not allow anything else than a bind-DN (in Distinguished Name syntax) to be transmitted in a simple bind request. AD allows also the userPrincipalName to be used. But that wonÄt work with other LDAP servers.

Ciao, Michael.
.

---

• References:
  • Re: ADAM Authentication
    • From: Joe Kaplan
  • Re: ADAM Authentication
    • From: louis
  • Re: ADAM Authentication
    • From: Joe Kaplan
  • Re: ADAM Authentication
    • From: louis
  • Re: ADAM Authentication
    • From: Joe Kaplan

• Prev by Date: Re: Renaming domain user login profile
• Next by Date: Re: Change password for users with blank password: Error
• Previous by thread: Re: ADAM Authentication
• Next by thread: Re: ADAM Authentication
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Bind Variables ADO - Oracle ... I would not recommend to use adNumeric with the MSDAORA provider because ... internally doesn't bind the parameter and the Shared SQL Area becomes full ... (microsoft.public.vb.database.ado) Hierarchical table control needed ... Can anyone recommend a quality third-party control that meets the following ... -Must be able to bind to data ... (microsoft.public.access.tablesdbdesign) BIND ... Wondering if there is a way to configure BIND to automatically update a ... dynamic ip within your own dns? ... can anyone recommend a good ... (freebsd-questions) Re: Active Directory wont connect to domain controller from workstations ... We're running BIND 4.9.4. ... >> I relly recommend you to store the Active Directory ... (microsoft.public.win2000.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-06