Re: USE of ADFS
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Sep 2008 16:19:26 -0500
The problem here is the algorithm implemented by the LDAP authentication for
these applications. For pure LDAP authentication, AD WILL allow any domain
controller in the forest to authenticate a user in ANY domain in the forest.
However, you could easily code it so that some aspect of this might fail.
For example, if the app does a search to find the user in the domain and
they are in a different domain, that will fail. Note that this search is
not required for the authentication per say, so that's why I suggest that
this would be considered a shortcoming in the implementation.
ADFS CAN definitely authenticate any user in any domain in an AD forest with
no problem. What I was trying to suggest is that your trouble would likely
be in getting an ADFS-compatible agent integrated into your application.
The two agents Microsoft ship require either a .NET 2.0 ASP.NET web app (for
the claims-aware agent) or a domain joined IIS server platform for the NT
token agent. It doesn't sound like you have either of those unless you run
your CF and J2EE stuff on IIS (which is possible but not that common).
The other thing I was trying to suggest is that you don't usually use ADFS
to integrate a single identity realm and an AD forest is considered a single
identity realm for ADFS purposes. Normally, you use it for integrating
multiple organizations.
If the application's LDAP authentication mechanism cannot be modified to
work across multiple domains in the forest, then you might not have a good
option here other than to consider some type of meta directory solution such
as ADAM/bind proxy auth or a full fledged LDAP proxy server.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"ehinkle27" <ehinkle27@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3B6B9319-2ED5-48FD-BC69-3BFC668B9DB9@xxxxxxxxxxxxxxxx
The only problem is the application we are using is a third party
application
that uses cold fusion and J2EE. we have a similar application that uses
coldfusion and it has the same problem. I am not familiar enough with
java
and coldfusion but it seems that if you provide an ldap server for x
domain
but have users in y domain, you cannot authenticate users from y domain
unless you specify that domains ldap server. So if ADFS does not allow use
to
enter a single ldap server that we can configure to authenticate users in
mutiple domains, looks like this will not work. Is there any other
microsoft
products that may do this? Our other alternative is to move users from the
multiple domains into a single domain, which we do not want do do at this
time.
.
- References:
- USE of ADFS
- From: ehinkle27
- Re: USE of ADFS
- From: Joe Kaplan
- Re: USE of ADFS
- From: ehinkle27
- USE of ADFS
- Prev by Date: Re: Proper way to remove workstaion from Domain
- Next by Date: Re: Allowing HelpDesk to create Mailboxes when creating accounts
- Previous by thread: Re: USE of ADFS
- Next by thread: New home directory file share server
- Index(es):
Relevant Pages
|
