Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADAM Proxy Bind re-direction

109 views
Skip to first unread message

Craig Gilmour

unread,
Mar 15, 2006, 8:49:27 PM3/15/06
to
All,
ADAM has a proxy bind redirection option See the following link:
http://technet2.microsoft.com/WindowsServer/en/Library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx
Scroll down to
"Bind Redirection for ADAM Proxy Objects"

Microsoft tends to recommend using Integrated Windows Auth where possible
(as I would as well), and only use the proxy auth mode for non Microsoft apps
that require a direct LDAP authentication. However, I have not seen much
reference to it.

I have tested this myself and it seems to work quite well. I am curious as
to why this option does not get more "airplay". Perhaps it is because MIIS
didn't originally have a password sync function and now does!! Are there
people out there who have used it in production that has any opinion as to
whether it is a viable option? The only real downside that I can see is:
- passwords sent in clear text (or LDAPS) from ADAM to domain controller

However, the upside (over password sync) is:
- No DLL required on domain controllers
- No propogation delays related to password sync
- No real or perceived security issues around sending passwords from a
secure repository to other locations
- Passwords kept in a single spot in AD

MIIS could maintain ADAM and populate the SIDS as required.

Any thoughts / comments / recommendations on whether to use this or not.

regards,
Craig Gilmour
Unify Solutions

Joe Kaplan (MVP - ADSI)

unread,
Mar 15, 2006, 10:38:19 PM3/15/06
to
There are two features in ADAM that allow you to authenticate AD users:
Pass-through authentication
Bind proxy

Pass-through auth is where you do a secure (GSS-SPNEGO) bind to ADAM with a
Windows user's credentials (including using IWA) to authenticate an Windows
user. ADAM here can authenticate users on the local machine and users that
the current machine has a trust relationship with.

Bind proxies allow you to have an actual object in ADAM that points to a
Windows user. You authenticate with an LDAP simple bind and ADAM redirects
the authentication back to ADAM.

There are two main reasons to use bind proxy:
- Your app can't do a secure/GSS-SPNEGO bind, so you can't use pass-through
auth
- You want to extend the schema of your bind proxy class to add additional
attribute data to the proxy object to service your application

I think the latter case is kind of interesting, even for apps that could use
secure bind.

Both pass-through and bind proxy are viable options and should probably be
used in the case where you would be considering creating normal ADAM users
and synching the password over from AD. Even though MIIS supports that,
password synch is still a bit icky IMO.

Those are my thoughts. I'm sure others will weigh in as well.

Joe K.
"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message
news:00ECB97F-02AB-420E...@microsoft.com...

Lee Flight

unread,
Mar 16, 2006, 10:51:45 AM3/16/06
to
Hi

I agree with JoeK.

Using either Windows principals appropriately
ACL'ed in ADAM or using native ADAM principals means that
your user management overhead is lower, if you have MIIS in place
that's less of an issue. Microsoft emphasized bindProxy for legacy,
simple bind apps however in the archives of this newsgroup you will
find that many people have used them in the shadow account context
that Joe indicated. I do not think Microsoft are quite through with
bindProxies yet as in ADAM SP1 they introduced password chaining
for bindProxies and a version of ADAMSync that allows a sync of
AD users to an ADAM target object class of userProxy.

Lee Flight


"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message
news:00ECB97F-02AB-420E...@microsoft.com...

Craig Gilmour

unread,
Mar 16, 2006, 9:20:27 PM3/16/06
to
Lee and Joe,
thanks heaps for your comments. You are right - I am creating an ADAM
repository to be used as a shared Identity repository / Identity publishing
point, and an authentication point for apps that need to do a LDAP Auth. I
realise AD could do a lot of this, but being able to extend the schema and
manage it separate from the NOS directory makes life a whole lot easier.
Windows Binds are not what I am really after here - just the proxy
authentication. I tend to approach password synch as a sometimes "necessary
evil" and if it can be avoided it saves a lot of problems.

Just to save asking lots of questions, can you let me know how to get to the
archives for the list? The search only goes against the current page, which
is only a few days old at best, and I prefer not to page manually through
over a hundred pages of posts. I configured a news reader to see if I could
pull all the messages down, but could only get 300.

thanks,
Craig Gilmour

Joe Kaplan (MVP - ADSI)

unread,
Mar 16, 2006, 9:35:20 PM3/16/06
to
Google indexes all the newsgroups (via the Groups tab). That's what we all
use. :)

You can add a special syntax to your search like
group:microsoft.public.windows.server.active_directory to scope the search
more narrowly and you can also use wildcards with that syntax.

Joe K.

"Craig Gilmour" <CraigG...@discussions.microsoft.com> wrote in message

news:81F2C273-1240-4F8A...@microsoft.com...

Joe Richards [MVP]

unread,
Mar 18, 2006, 6:38:54 PM3/18/06
to
I would just want to add that if you have added the Windows user to a group an
FSP will be created which will represent the Windows user in the directory and
you will see be able to use pass through auth.

Generally I recommend using passthrough unless the app can't do the auth needed.
Then fall back to bindproxy. I agree that password maintenance in two places is
a pain and a great source of problems.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

0 new messages