ADAM authentication failure.
New2ADAM
I am trying to authenticate ADAM users from a web page and I see a
'unknown username or bad password' error. I am able to do a simple bind
as the adam user but nothing more than a simple bind.
Background:
ADAM SP1 installed on win2k3 R2 Enterprise edition server.
Created a domain partition during install, imported all four ldifs to
extend schema.
Connected to domain partition using ADSI edit
Created OU inside this partition and created users within this ou,
using Adsi edit. I also reset the pwds and changed
'MSds-useraccountdisabled' attribute value to false. These users are
also members of Administrators, readers and users groups under cn=roles
container.
I can connect to ADAM using ldp.exe, bind as 'logged on user'. This is
a windows account with admin permissions on ADAM.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as: 'WIN2K3R2\Admin'.
I can do a simple bind as ADAM user.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, 'test2', <unavailable>); // v.3
Authenticated as: 'CN=Test2,OU=Testou,DC=abcxyz,DC=org'.
I see the following when I try other settings to bind with LDAP
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed
I created a upn value for the user and used it as username - fails to
bind
I then tried checking permissions on user object using dsacls.
**********************************************************************
Owner: CN=Administrators,CN=Roles,DC=abcxyz,DC=org
Group: CN=Administrators,CN=Roles,DC=abcxyz,DC=org
Access list:
Allow CN=Readers,CN=Roles,DC=abcxyz,DC=org
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=abcxyz,DC=org
FULL CONTROL <Inherited from
parent>
Allow NT AUTHORITY\SELF Change Password
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=abcxyz,DC=org
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=abcxyz,DC=org
FULL CONTROL <Inherited from
parent>
The command completed successfully
********************************************
Any other type of binding fails. I am unable to login from an
application page with has
'username' , 'password' and 'domain' fields. this page works fine with
AD 2k3 R2, fails with ADAM.
I am very new to ADAM and did all of the above using the MS ADAM guide.
It would be a great help if someone can help me with this.
Thanks in advance
New2ADAM.
Lee Flight
in ADAM SP1 you have two options for binding as an ADAM user:
simple bind (using distinguishedName or canonicalName or
displayName or userPrincipalName)
or
digest bind (using distinguishedName)
any other SASL bind (NTLM,Kerberos,negotiated) will only work
for a local or domain windows account.
Lee Flight
"New2ADAM" <Srin...@gmail.com> wrote in message
news:1140206686....@g44g2000cwa.googlegroups.com...
Joe Kaplan (MVP - ADSI)
thought it was just DN and UPN? Crap, my book is wrong and it is already
too late! Argh!
Joe K.
"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:eiJjF0AN...@TK2MSFTNGP15.phx.gbl...
Joe Kaplan (MVP - ADSI)
canonicalName and displayName too...
Joe K.
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:ey87yiBN...@TK2MSFTNGP10.phx.gbl...
Dmitri Gavrilov [MSFT]
guess. So, we are basically doing a CrackName call with "unknown input
format". It tries to apply several formats, in the following order:
FQDN_1779_NAME
CANONICAL_NAME
UNIQUE_ID_NAME (guid)
DISPLAY_NAME
SERVICE_PRINCIPAL_NAME
SID_OR_SID_HISTORY_NAME (stringized sid iirc)
CANONICAL_NAME_EX (slightly differently formatted canonical name)
USER_PRINCIPAL_NAME
Note if the string does not look like it matches the format (e.g. does not
look like a DN or a guid), then we do not try to actually search for it.
Note displayName matches any string, so it actually takes precendence over
UPN. UPN too matches any string (but only in ADAM).
The list above is for ADAM. AD uses a similar algorithm for simple binds.
But the matching order for AD is slightly different:
FQDN_1779_NAME
USER_PRINCIPAL_NAME (must match user@domain pattern)
NT4_ACCOUNT_NAME (domain\username)
CANONICAL_NAME
UNIQUE_ID_NAME (guid)
DISPLAY_NAME
SERVICE_PRINCIPAL_NAME
SID_OR_SID_HISTORY_NAME
CANONICAL_NAME_EX
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:unhYDlB...@tk2msftngp13.phx.gbl...
Dmitri Gavrilov [MSFT]
If you have user1 whose displayName is Dmitri, and user2 whose
userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then
you'll authenticate as user1.
If you have two users whose displayName is Dmitri, then you won't be able to
bind. Same for UPN.
So, I guess I am going to revise the statement below. The only "guaranteed"
way to bind is to use the DN, because we guarantee the uniqueness of this
one. Everything else will be a wild guess :)
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Dmitri Gavrilov [MSFT]" <dmi...@online.microsoft.com> wrote in message
news:OKFtWaSN...@TK2MSFTNGP15.phx.gbl...
Joe Kaplan (MVP - ADSI)
to provide some "best practices" guidance for people. I think sticking with
DN and UPN is good practice, as long as steps are taken to ensure UPN is not
duplicated. This is non-trivial in a replicated environment, but is worth
putting some effort into if it is really important. This really applies to
AD as well if UPNs are being assigned.
The objectGUID, displayName, SPN and such options were a total revelation to
me though.
Joe K.
"Dmitri Gavrilov [MSFT]" <dmi...@online.microsoft.com> wrote in message
news:ueR35oSN...@TK2MSFTNGP10.phx.gbl...
Lee Flight
stuff to know. My list for the simple bind of user was the four that are
advertised
in the ADAM docs (digest bind is just DN as that is the only MUST in the RFC
I guess).
Is canonicalName also "guaranteed" as that would seem to be unique?
[Why is canonicalName multivalued in the schema? OK I know you don't
do Why questions on the Schema :) ]
Thanks again
Lee Flight
"Dmitri Gavrilov [MSFT]" <dmi...@online.microsoft.com> wrote in message
news:ueR35oSN...@TK2MSFTNGP10.phx.gbl...
Dmitri Gavrilov [MSFT]
have a UPN or displayName that looks like a canonical name. And it looks
like we treat anything with a slash as a canonical name.
And, in this case, I can answer your schema question.
CanonicalName is a constructed attribute, and it is always single-valued.
So, the schema is incorrect :)
That said, single-valued-ness is only enforced for writes. Since you cannot
write a constructed attribute, this constraint does not really mean
anything.
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:%238lE7Wa...@TK2MSFTNGP15.phx.gbl...