Re: ADAM Authentication

For AD, authtype should be Negotiate and username should either be the login
name and domain parameter is specified or username is UPN format
(user@xxxxxxxxxx) and domain parameter is blank. This may depend on what
you query for in the UI you are providing.

You cannot use the distinguishedName (DN) username format when using the
Negotiate authtype. DN is only supported with simple bind, which you should
avoid if using AD. When working with ADAM and ADAM users, you do need to
use the DN as the username unless you have set either the UPN or displayName
on the ADAM user in which case you can use either of those instead as all
three are "bindable" username formats supported by ADAM for simple bind.

Port number is not needed with AD since AD only uses default port numbers,
but if you need to supply a port just add it to the host name like host:port
(as you might do with an HTTP URL on a non-default port).

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:100D9D93-9512-45E5-8657-FB4E786F2AAA@xxxxxxxxxxxxxxxx
Thanks Joe, that routine works. A few last questions please:
1) where is the port number specified?
2) I assume if there is a domain (for AD) that this form is used:
con.Credential = new NetworkCredential(user, pass,domain)
3) for AD, the "AuthType" should be ?? (did not see 'secure' in the
enumeration).
4) how to use the fully qualified name (cn=xx,ou=xx,o=MS,c=US)?

Thanks again,
Louis


"Joe Kaplan" wrote:

Your code will be different for authenticating users in ADAM vs. Active
Directory because with ADAM, you need to use simple bind while with AD
you
should use Secure (SASL) bind. AD supports using simple bind, but you
should not build a product that uses that since it is insecure.

If you just want to authenticate a user, you only need a bind operation.
There is no need to do a search. If scalability is not an issue, then
you
can safely use S.DS for this although S.DS.Protocols is still a good
option
(given that you can use .NET 2.0). S.DS.P has an explicit Bind method
which
makes it more clear what you are doing.

Something like this might be a blueprint for you to start with:
Dim con as New LdapConnection("localhost")
con.Credential = new NetworkCredential("user", "password")
con.AuthType = AuthType.Basic
Try
con.Bind()
'worked
Catch ex As Exception
'Failed; check to make sure you got the correct error code and not a
different problem...
End Try

The keys to this are supplying the identifier to use for the directory to
connect to, supplying the right auth type for the directory and supplying
the right username format for the directory and authtype being used.

Another option that might be easier would be to P/Invoke the LogonUser
API.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D13EA3EB-E2CD-4BEB-89F1-22CE4256588A@xxxxxxxxxxxxxxxx
Joe -
1) I have no idea what all the alphabet soup means.
2) Only using ADAM for testing a proof-of-concept; customer will have
Active
Directory (we do not)
3) I have tried every authentication type and left off this parameter
entirely - no luck
4) per your suggestions: we want to stick with .net 2.0 as other code
is
using this
5) this is not a web app
6) why was this complex scheme developed with no easy (clear-cut) way
to
authenticate users?
7) everything we try returns either "no such object on server" or
"unknown
user or password"

thanks,
Louis


"Joe Kaplan" wrote:

In S.DS, AuthenticationTypes.Secure is equivalent to GSS-SPNEGO, so
you
can't use that for ADAM users. There is no explicit setting for
simple
bind, but if you set one of the other flags and don't add the Secure
flag,
that will change to simple bind.

Note that using S.DS for authentication may cause you scalability
problems
in a high volume application as ADSI itself is not designed to work
well
in
this scenario and S.DS uses ADSI under the hood. If you need a
scalable
solution, you should look at either the ValidateCredentials method on
PrincipalContext in .NET 3.5 or use the
ActiveDirectoryMembershipProvider
if
you are building a web app.

You can also write code in S.DS.P to handle this, although creating a
scalable solution with it is not trivial at all.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82996EA5-1D9F-4BA2-B3D7-D0528C0943C0@xxxxxxxxxxxxxxxx
Changing to simple bind seem to work (please see below).
Now, can you please help me translate that to the VB 2005 code
below.
Thanks for taking your time helping everyone.
========= result ==================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, 'CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us',
<unavailable>); // v.3
Authenticated as: 'CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US'.
---
========= code snippet ================================
Dim strFilter As String = "(&(objectClass=user)(cn= Mary Baker))"
sUserName = "Mary Baker"
sPassWrd = "ABC123"
strgroupname = "ADAM users"

Try
domainEntry = New
DirectoryEntry("LDAP://localhost:389/ou=ADAM
users,o=Microsoft,c=us")
domainEntry.AuthenticationType =
AuthenticationTypes.FastBind '
AuthenticationTypes.Secure
domainEntry.Password = sPassWrd
domainEntry.Username = sUserName
' An example is "(&(objectClass=user)(lastName=
Davis))".

Dim strSearch As String = strFilter
Dim dsSystem As New DirectorySearcher(domainEntry,
strSearch)
' search subtree
dsSystem.SearchScope = SearchScope.Subtree
' find user data
Dim srSystem As SearchResult = dsSystem.FindOne()
' group
Dim valcol As ResultPropertyValueCollection =
srSystem.Properties("memberof")
If valcol.Count > 0 Then
Dim o As Object
For Each o In valcol
' check if user in group
If o.ToString().Equals((strgroupname + "," +
strbasedn))
Then
blngroupuser = True
Exit For

End If
Next ' o
End If
If blngroupuser = True Then
MessageBox.Show("login sucessfull")
Else
MessageBox.Show("user not in this group")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
=============================================
"Joe Kaplan" wrote:

ADAM users must be authenticated with either Simple bind or Digest
auth.
You are using SASL bind with SPNEGO which only authenticates
Windows
users
via pass through authentication.

In LDP, change to simple bind and try again. Also, make sure the
ADAM
user
is enabled as well as having a password set.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"louis" <louis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:810A83BC-B59F-4F42-AF00-A971175052BC@xxxxxxxxxxxxxxxx
I have setup ADAM using the "Mary Baker" examples in the guide,
used
the
dsmgt to change the security, set a password of "ABC123", turned
the
security
back on using dsmgt. I cannot get any of several test routines
to
authenticate, also will not authenticate using the "LDP" utility.
Output
here:
=================================
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158));
//
v.3
{NtAuthIdentity: User='CN=Mary Baker,ou=ADAM
users,o=Microsoft,c=us';
Pwd=
<unavailable>; domain = 'LouisXP'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, va28
Error 0x8009030C The logon attempt failed
-----------
I have changed the user to enabled (as documented in several
posts).
This
is all running on the same XP PRO sp2 machine.
Any help appreciated. Thanks.











.

Relevant Pages

  • Re: LDIFDE Error when trying to change passwords.
    ... The SASL bind (with -b and specific credentials) is only needed if you don't ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDIFDE Error when trying to change passwords.
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The -h adds the encryption. ... command or the bind command as I am not sure how to use them. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Integrated Windows Authentication Timeout?
    ... long as they are all on the same account. ... The problem I see frequently is that people have duplicate SPNs on more than ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADFS System.Web.Security.SingleSignOn.WebSsoConfigurationExcep
    ... claims app doesn't overlap with the federation server ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... entered the complete URL for the web site under "Base URL". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Integrated Windows Authentication Timeout?
    ... it negotiates down to NTLM. ... For the second search, if the user account has an SPN of HTTP/webserver, ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading