Re: USE of ADFS
- From: ehinkle27 <ehinkle27@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Sep 2008 12:29:01 -0700
The only problem is the application we are using is a third party application
that uses cold fusion and J2EE. we have a similar application that uses
coldfusion and it has the same problem. I am not familiar enough with java
and coldfusion but it seems that if you provide an ldap server for x domain
but have users in y domain, you cannot authenticate users from y domain
unless you specify that domains ldap server. So if ADFS does not allow use to
enter a single ldap server that we can configure to authenticate users in
mutiple domains, looks like this will not work. Is there any other microsoft
products that may do this? Our other alternative is to move users from the
multiple domains into a single domain, which we do not want do do at this
time.
"Joe Kaplan" wrote:
It sounds like your current LDAP authentication mechanism is flawed as it.
should be possible to authenticate any user in the forest against a single
domain. All domains in the forest trust each other.
That said, I don't know if ADFS would really help you here or not. ADFS is
primarily intended when you need to authenticate users in multiple identity
realms. In ADFS, your entire forest is a single realm, so it isn't
considered "needed" to authenticate across domains.
The primary concern I would have for your app with ADFS is that there is no
"claims aware" agent for CF (that I know of), so you would need to use the
IIS NT Token agent instead. If your app was going be based on Windows
security, you could just as easily apply Basic or Integrated authentication
and fix your issue with authenticating users in multiple domains (which is
not an issue with Basic or Integrated).
So, before you go down the ADFS path, you might want to consider other
options such as fixing your existing LDAP authentication or using a built in
Windows mechanism.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"ehinkle27" <ehinkle27@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FAB38617-DA79-43F9-89F4-738F581DB8A3@xxxxxxxxxxxxxxxx
We are implementing a Web Solution using cold fusion that currently uses
ldap
to perform user authentication. This works okay for user accounts that
resides within the domain the application server is running in, but
anytime a
user outside our domain (within the same forest) tries to authenticate
using
LDAP it does not work. We are in a single forest with multiple trees that
we
need to have access this web application. The web application only has a
setting to configure a single LDAP server so it appears like anytime a
user
tries to authenticate from a different domain it can not find the user
because it can't query the other domains LDAP servers. I would like to
know
would configuring ADFS solve this issue? Will it allow use to provide one
LDAP server name that can resolve user access from mutilple domains with
in
the same forest? All the domains that will authenticate to this web
application is within the same forest and the trust relationships are
fine. I
can sharefolders and grant users from the different domains access to
network
shares with no problems.
- Follow-Ups:
- Re: USE of ADFS
- From: Joe Kaplan
- Re: USE of ADFS
- References:
- USE of ADFS
- From: ehinkle27
- Re: USE of ADFS
- From: Joe Kaplan
- USE of ADFS
- Prev by Date: Policy to enable login only after network connection : how ?
- Next by Date: Re: force xp domain member to drop from domain?
- Previous by thread: Re: USE of ADFS
- Next by thread: Re: USE of ADFS
- Index(es):
Relevant Pages
|
Loading
