Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP Simple Bind with trusted domain user credentials

1,914 views
Skip to first unread message

Cameron Murray

unread,
Dec 5, 2008, 12:32:01 AM12/5/08
to
Two forests with two way trusts, Forest1 is at Server 2008 level, Forest2 is
at Server 2003 level.

We are trying to support a LDAP client that only allows for a simple bind
against Active Directory. It is used to look up contacts/emails. All of the
contacts reside in Forest1. Users reside in Forest2. We are trying to perform
a simple bind to a DC in Forest2 using either the UPN or samaccountname of a
user in Forest1. All simple bind attempts fail with a username not found
message.

I have replicated this problem in ADSI editor on a DC in Forest1. Attempting
to perform a simple bind to the DC using credentials from Forest2 the
connection fails. Attempting a normal bind will succeed and the directory is
visible to the end user.

Is this by design? Is it possible to enable simple bind using trusted
credentials?

Rajesh J S

unread,
Dec 5, 2008, 1:30:01 AM12/5/08
to
Hi Cameron Murray

This link May Help you to do this.
http://www.ietf.org/rfc/rfc2829.txt

Rajesh J S
MCSA, MCP

Cameron Murray

unread,
Dec 5, 2008, 1:41:01 AM12/5/08
to
Thank you.

I had a brief read through this and I understand the two methods of
authentication taking place here.

The simple bind (non TLS) fails with plain-text using credentials from a
trust, but not with credentials from the same forest.

A SASL bind works with either credentials (trust or local).

I dont think this is an LDAP standard issue here, but more something in
regards to the specific AD implementation of authentication to a directory..
but I cant honestly think why

Any thoughts?

Rajesh J S

unread,
Dec 5, 2008, 4:03:02 AM12/5/08
to
Yep

you are right.
Let me dig in to it...
After that i will get back to you.

Lee Flight

unread,
Dec 5, 2008, 4:57:36 AM12/5/08
to
Hi

I think LDAP simple bind is really only forest-local so e.g. in the w32ldap
API [1]
see the Remarks section. I guess the limitation is not the client API as
such but the server side handling of the bind type.

If you are in the postion of needing to support a simple LDAP bind
cross-forest
you might consider using a front-end proxy directory or attempt to build
your
own using AD LDS with userProxy objects but that could be a substantial
undertaking.

Lee Flight

[1] http://msdn.microsoft.com/en-us/library/aa366994(VS.85).aspx


Michael Ströder

unread,
Dec 5, 2008, 10:53:22 AM12/5/08
to
Lee Flight wrote:
>
> I think LDAP simple bind is really only forest-local so e.g. in the w32ldap
> API [1]
> see the Remarks section. I guess the limitation is not the client API as
> such but the server side handling of the bind type.

I vaguely remember that I also tried to use a simple bind to another
trusted domain and that didn't work.

How about trying with LDAP SASL/GSSAPI bind (Kerberos V)?
Never tried it myself though.

Ciao, Michael.

Lee Flight

unread,
Dec 5, 2008, 11:07:02 AM12/5/08
to
Hi

"Michael Ströder" <mic...@stroeder.com> wrote in message
news:jcvn06-...@nb2.stroeder.com...

> I vaguely remember that I also tried to use a simple bind to another
> trusted domain and that didn't work.

I thought was OK if using UPN for user

> How about trying with LDAP SASL/GSSAPI bind (Kerberos V)?
> Never tried it myself though.

This issue often is that the (supplied) application is fixed as LDAP simple
bind

cheers
Lee Flight


Michael Ströder

unread,
Dec 5, 2008, 11:16:16 AM12/5/08
to
Lee Flight wrote:
> Hi
>
> "Michael Ströder" <mic...@stroeder.com> wrote in message
> news:jcvn06-...@nb2.stroeder.com...
>
>> I vaguely remember that I also tried to use a simple bind to another
>> trusted domain and that didn't work.
>
> I thought was OK if using UPN for user

I don't know and I can't test.

Note that using the UPN (not a DN) in the simple bind request is not
LDAPv3 compliant. So there could be some issues with the client system
when trying that.

Ciao, Michael.

Joe Kaplan

unread,
Dec 5, 2008, 2:08:06 PM12/5/08
to
As I recall, LDAP simple bind is not supported across forest whether using
UPN as username or not. I thought I got this info directly from an MS
employee who would know, but I can't remember for sure. Would you like to
try to find out again? :)

BTW Michael, I'm working on your DIGEST auth/encoding issue.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net


"Michael Ströder" <mic...@stroeder.com> wrote in message

news:gn0o06-...@nb2.stroeder.com...

Michael Ströder

unread,
Dec 6, 2008, 8:04:50 AM12/6/08
to
Joe Kaplan wrote:
> As I recall, LDAP simple bind is not supported across forest whether
> using UPN as username or not.

I vaguely remember that I also asked this here more two years ago and
your answer was the same. :-)

> BTW Michael, I'm working on your DIGEST auth/encoding issue.

Thanks a lot. I'd be curious to know whether there will be a fix or
whether they leave it as is.

Ciao, Michael.

davidthomas

unread,
Feb 25, 2010, 8:05:12 PM2/25/10
to

I know this thread was posted a long time ago, but I just ran into this today.

The solution is quite wierd.

When performing a simple bind, you only provide 2 values:
- UserName
- Password

You can provide the UserName value in four different formats:
- UserID
- Domain\UserID
- Distinguished Name
- User Principal Name

When you logon with just the UserID, as is discussed in this thread, then the value must match the DisplayName attribute of the user account, NOT the CN or sAMAccountName. An account can only authenticate with just a UserID in a simple bind if the DisplayName is the same as your UserID.

If you logon with Domain\UserID, then the domain is the Netbios name of the domain and the sAMAccountName of the account.

If you logon with the Distinguished Name, then it uses the distinguished name of the account.

And! If you logon with the User Principal Name of the account, then it uses that attribute of the account.

An interesting test you can try, is to pick an account, and change its DisplayName to a unique value in your domain, such as TestAccount, make sure it doesn't match the CN or sAMAccountName of the account. Then perform a simple bind and provide TestAccount as the Logon ID and you will bind correctly. It is a very wierd implementation of a simple bind and there is no documentation out there describing this behavior that I have found.

I hope this helps future people with having problems with this.

Cheers,

David Thomas


michae wrote:

Re: LDAP Simple Bind with trusted domain user credentials
06-Dec-08

Joe Kaplan wrote:

I vaguely remember that I also asked this here more two years ago and
your answer was the same. :-)

Thanks a lot. I'd be curious to know whether there will be a fix or
whether they leave it as is.

Ciao, Michael.

Previous Posts In This Thread:

On Friday, December 05, 2008 12:32 AM
CameronMurra wrote:

LDAP Simple Bind with trusted domain user credentials


Two forests with two way trusts, Forest1 is at Server 2008 level, Forest2 is
at Server 2003 level.

We are trying to support a LDAP client that only allows for a simple bind
against Active Directory. It is used to look up contacts/emails. All of the
contacts reside in Forest1. Users reside in Forest2. We are trying to perform
a simple bind to a DC in Forest2 using either the UPN or samaccountname of a
user in Forest1. All simple bind attempts fail with a username not found
message.

I have replicated this problem in ADSI editor on a DC in Forest1. Attempting
to perform a simple bind to the DC using credentials from Forest2 the
connection fails. Attempting a normal bind will succeed and the directory is
visible to the end user.

Is this by design? Is it possible to enable simple bind using trusted
credentials?

On Friday, December 05, 2008 1:30 AM
RajeshJ wrote:

RE: LDAP Simple Bind with trusted domain user credentials
Hi Cameron Murray

This link May Help you to do this.
http://www.ietf.org/rfc/rfc2829.txt

Rajesh J S
MCSA, MCP

"Cameron Murray" wrote:

On Friday, December 05, 2008 1:41 AM
CameronMurra wrote:

Thank you.
Thank you.

I had a brief read through this and I understand the two methods of
authentication taking place here.

The simple bind (non TLS) fails with plain-text using credentials from a
trust, but not with credentials from the same forest.

A SASL bind works with either credentials (trust or local).

I dont think this is an LDAP standard issue here, but more something in
regards to the specific AD implementation of authentication to a directory..
but I cant honestly think why

Any thoughts?

"Rajesh J S" wrote:

On Friday, December 05, 2008 4:03 AM
RajeshJ wrote:

Yepyou are right.Let me dig in to it...After that i will get back to you.
Yep

you are right.
Let me dig in to it...
After that i will get back to you.

Rajesh J S
MCSA, MCP

"Cameron Murray" wrote:

On Friday, December 05, 2008 4:57 AM
Lee Flight wrote:

HiI think LDAP simple bind is really only forest-local so e.g.
Hi

I think LDAP simple bind is really only forest-local so e.g. in the w32ldap
API [1]
see the Remarks section. I guess the limitation is not the client API as
such but the server side handling of the bind type.

If you are in the postion of needing to support a simple LDAP bind

cross-forest
you might consider using a front-end proxy directory or attempt to build
your
own using AD LDS with userProxy objects but that could be a substantial
undertaking.

Lee Flight

[1] http://msdn.microsoft.com/en-us/library/aa366994(VS.85).aspx

On Friday, December 05, 2008 10:53 AM
michae wrote:

Re: LDAP Simple Bind with trusted domain user credentials
Lee Flight wrote:

I vaguely remember that I also tried to use a simple bind to another
trusted domain and that didn't work.

How about trying with LDAP SASL/GSSAPI bind (Kerberos V)?


Never tried it myself though.

Ciao, Michael.

On Friday, December 05, 2008 11:07 AM
Lee Flight wrote:

Re: LDAP Simple Bind with trusted domain user credentials
Hi

I thought was OK if using UPN for user

This issue often is that the (supplied) application is fixed as LDAP simple
bind

cheers
Lee Flight

On Friday, December 05, 2008 11:16 AM
michae wrote:

Re: LDAP Simple Bind with trusted domain user credentials
Lee Flight wrote:

I don't know and I can't test.

Note that using the UPN (not a DN) in the simple bind request is not
LDAPv3 compliant. So there could be some issues with the client system
when trying that.

Ciao, Michael.

On Friday, December 05, 2008 2:08 PM
Joe Kaplan wrote:

As I recall, LDAP simple bind is not supported across forest whether using UPN
As I recall, LDAP simple bind is not supported across forest whether using

UPN as username or not. I thought I got this info directly from an MS
employee who would know, but I can't remember for sure. Would you like to
try to find out again? :)

BTW Michael, I'm working on your DIGEST auth/encoding issue.

--

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net

"Michael Str?der" <mic...@stroeder.com> wrote in message
news:gn0o06-...@nb2.stroeder.com...

On Saturday, December 06, 2008 8:04 AM
michae wrote:

Re: LDAP Simple Bind with trusted domain user credentials
Joe Kaplan wrote:

I vaguely remember that I also asked this here more two years ago and
your answer was the same. :-)

Thanks a lot. I'd be curious to know whether there will be a fix or
whether they leave it as is.

Ciao, Michael.


Submitted via EggHeadCafe - Software Developer Portal of Choice
What's New for Developers in SharePoint 2010 Object Model?
http://www.eggheadcafe.com/tutorials/aspnet/84e8403e-a25c-49b7-a0d8-3e2773fa29b5/whats-new-for-developers.aspx

0 new messages