Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADAM Authentication

6 views
Skip to first unread message

Aaron

unread,
Jul 19, 2006, 4:10:03 PM7/19/06
to
Ok. So I'm working on creating an Addressbook for domain users that
can be access remotely via LDAP. I've setup an ADAM instance and have
ported the user/mail information from our Active Directory domain into
this instance. If i'm using something like Windows Address Book
(wab.exe) from an account that is logged in to the domain, and bind to
ADAM using a windows domain security principal, then it works fine.
However, if I attempt to bind to the ADAM instance using that same
domain security principal while logged into an external machine that is
NOT a part of our domain (or part of a different domain) then the
authentication/bind fails. From looking at the packet traffic, it
appears to be attempting an authentication useing the credentials of
the logged in user. For Example:

Lets say my domain username is CAMPUS/aaron. If I'm logged in to my
workstation as CAMPUS/aaron and bind to ADAM using CAMPUS/aaron, it
works fine. However, if I go home, and log into HOME/joebob, and then
configure wab to bind to the ADAM server back at work using the
CAMPUS/aaron username and password, the authentication fails and I
would see an authentication attempt using HOME/joebob.

What do I need to do to allow my domain users to be able to
authenticate to the ADAM instance when they are NOT logged in to the
domain itself? Keep in mind that I do *not* wish to use anonymous
binding, users *must* authenticate before using the directory...

Aaron

unread,
Jul 19, 2006, 4:30:09 PM7/19/06
to
I'm wondering if this is something on the Outlook Express/WAB side. If
I pull up ADAM ADSI edit on an external machine, NOT logged in to the
domain, I can bind to my ADAM instance using a domain username and
password....

Joe Kaplan (MVP - ADSI)

unread,
Jul 19, 2006, 4:41:45 PM7/19/06
to
This sounds more like a problem in the client than a problem in ADAM. It
looks like the software that is doing the bind is ignoring your
configuration stating which credentials to use and is using the current
security context instead.

I know for a fact that you can supply credentials to an LDAP bind to ADAM
and have it honor those.

The other thing that is important is the type of LDAP bind you do here.
When you want to log in to ADAM as a Window user, you must use a Secure LDAP
bind (SASL with GSS-SPNEGO provider). If you want to log in with a user in
the ADAM store, you would use a simple bind (or DIGEST). I'm not sure if
that is relevant here though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Aaron" <Aaron...@kzoo.edu> wrote in message
news:1153339803.0...@75g2000cwc.googlegroups.com...

Dmitri Gavrilov [MSFT]

unread,
Jul 20, 2006, 6:00:35 AM7/20/06
to
ADAM can only authenticate users that are trusted. It won't allow
HOME\joebob access its data because it does not know who HOME\joebob is. It
is as good as anonymous, as far as ADAM is concerned. If some computer on
the internet authenticated joebob and is saying "this guy is really
authenticated. Oh, and he is a member of BUILTIN\admins too", it does not
mean ADAM should trust that computer to do a good job authenticating.

If HOME was a domain, then you could create a trust from CAMPUS to HOME, and
then ADAM would be able to authenticate users from HOME. However, from your
scenario, I don't think that is possible.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron...@kzoo.edu> wrote in message
news:1153339803.0...@75g2000cwc.googlegroups.com...

Aaron

unread,
Jul 20, 2006, 9:25:51 AM7/20/06
to
But I'm not trying to authenticate as HOME\joebob. I'm providing the
username and password for CAMPUS\aaron and want ADAM to authenticate
THAT. It's Microsoft Outlook Express that is trying to send the
HOME\joebob credentials instead of the CAMPUS\aaron credentials that I
have configured for the LDAP account i the address book. Other LDAP
applications don't seem to have this problem. The ADAM ADSI editor
*and* ldp.exe will both connect and auth/bind from the HOME/joebob
computer using the CAMPUS\aaron credentials.

Joe Kaplan (MVP - ADSI)

unread,
Jul 20, 2006, 10:54:15 AM7/20/06
to
That's what I was trying to suggest. This sounds like a bug in the client
app you are using. You might want to report this to whoever owns that piece
of code.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

"Aaron" <Aaron...@kzoo.edu> wrote in message

news:1153401951.4...@h48g2000cwc.googlegroups.com...

Aaron

unread,
Jul 20, 2006, 4:16:08 PM7/20/06
to
The client app in question is the Windows Address Book. Part of
Microsoft Outlook Express. So...yeah...I do that right after I go wash
some dirt.

Joe Richards [MVP]

unread,
Jul 20, 2006, 5:39:23 PM7/20/06
to
In the directory properties tab of the WAB did you specify your userid
and password? If you don't, by default it will try to use the current
process security context.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Dmitri Gavrilov [MSFT]

unread,
Jul 21, 2006, 3:09:34 AM7/21/06
to
Did you check "Use Secure Password Authentication" checkbox? Without it, WAB
will attempt to do a simple ldap bind.

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Aaron" <Aaron...@kzoo.edu> wrote in message

news:1153426568.6...@b28g2000cwb.googlegroups.com...

Aaron

unread,
Jul 21, 2006, 12:47:20 PM7/21/06
to
Yes, Secure Password Authentication is checked on.

Aaron

unread,
Jul 21, 2006, 12:54:49 PM7/21/06
to
If, from within WAB, I go to Tools -> Accounts and select the account
for the Adam directory, I have "This server requires me to log on"
checked and then the userid (DOMAIN\userid) and password are filled in.
The setup works as long as you run WAB from a machine that is logged
into the domain, and THAT part looked good yesterday. But today I come
in and it's not working on the SSL port. I can connect with LDP and
authenticate and bind and search through the directory, but if I try
searches with WAB it says there are no entries in the directory that
match my search criteria. But only if I use SSL. If I change NOTHING
else, and just click off SSL, then searches work fine. o_0. The only
"errors" I see are when I connect via LDP with SSL and it shows this:

ld = ldap_sslinit("awsmithxp.knet.kzoo.edu", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to awsmithxp.knet.kzoo.edu.

The only change between then and now is that the machine was shutdown
and then restarted this morning.

Joe Kaplan (MVP - ADSI)

unread,
Jul 21, 2006, 1:42:01 PM7/21/06
to
I'm not sure if this is involved or not, but part of the problem may be in
network issues with secure authentication. Generally, with secure auth, the
client needs to contact the KDC to get a Kerberos ticket for Kerberos login
or may need to contact the DC for NTLM. That may not work for clients
outside the firewall.

If you can do a simple bind though, you don't have that issue. The
credentials are passed directly to the ADAM server via LDAP. It appears
that you uncheck the secure password authentication box if you want a simple
bind. The primary concern there is that simple binds are not secure unless
the channel is encrypted with SSL or something. However, you said you
already have SSL.

You might consider creating a fixed service account in ADAM with a password
that doesn't expire and giving it read access to the address data. Then,
you configure your clients with that ADAM ID and it should work in any
network configuration that can hit your ADAM instance via SSL/LDAP (and
trust the certificate). You could also put bind proxies in your ADAM
instance and have your users put their own IDs in the WAB configuration, but
then they'd have to remember to change those credentials whenever they
change passwords or risk lockout.

Just an idea...

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Aaron" <Aaron...@kzoo.edu> wrote in message

news:1153500440.6...@m73g2000cwd.googlegroups.com...

Joe Richards [MVP]

unread,
Jul 22, 2006, 5:23:51 PM7/22/06
to
This looks like a bug in WAB.

I just made it break on a domain joined machine in fact. I simply
spawned a command prompt as a local user and started WAB as that user
and then configured a new directory and gave it a whirl while watching
with ethereal. Totally didn't use the credentials I specified.

You could go find one a newsgroups dedicated to outlook express and see
if you can round up an OE MVP as they may know who to direct that bug
report to.

joe

0 new messages