R: Active Directory password external use

From: Sebastian Zdrojewski (sebastian.zdrojewski_at_technomind.it)
Date: 09/01/05

  • Next message: Brady McClenon: "RE: Group Policy: multiple password policies in the same domain?" 
    Date: Thu, 1 Sep 2005 09:29:29 +0200
To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>

    Hi

    as far as now I had some applications I wanted to make work with AD
    authentication to simplify user's day by day work. Actually my issues was
    for Linux based systems and web applications (not running on IIS) that
    needded to authenticate users againist AD domain. If you consider that there
    are many programs supporting Active Directory authentication, there are many
    more that supports LDAP authentication methods. AD is an LDAPv3 tree. I have
    worked on few helpers for internal use (such as for Squid and for web
    applications) that tries to bind to the LDAP tree using the given
    credentials (passed via a web form or via an external call from programs).
    If the binding was successfull, access is granted and the user can log in.
    No double user repositories, no need for replicating or capturing the
    passwords as they are changed on the domain. Furthermore, what happens if
    the user account is locked for security reason? i.e. the account expires,
    user is forced to change his password, account is locked? You will need to
    synchronize such information as well.

    All this, as usual, IMHO.

    Best regards,

    Sebastian Zdrojewski
    Senior System & Network Administrator

    Tel: +39 02.62.610.317
    Mobile: +39 347.6079.096
    E-Mail: sebastian.zdrojewski@technomind.it

    TECHNOMIND S.p.A.
    Via Galileo Galilei, 7 - 20124 Milano
    Tel. +39 02.62.610.300 - Fax +39 02.62.610.333
    Web: http://www.technomind.it/

    ________________________________

    PRIVACY
    Le informazioni contenute in questo messaggio sono riservate e
    confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario
    del messaggio, per le finalità indicate nel messaggio stesso. Qualora Lei
    non fosse la persona a cui il presente messaggio è destinato, La invitiamo
    ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe,
    dandocene gentilmente comunicazione. Ogni utilizzo improprio è contrario ai
    principi del D.lgs 196/03 e alla legislazione Europea (Direttiva
    2002/58/CE). Technomind S.p.A. opera in conformità D.lgs 196/2003 a alla
    legislazione Europea. Per qualsiasi informazione a riguardo si prega di
    contattare la nostra Società all’indirizzo mail: privacy@technomind.it.
     
    The information contained in this message as well as the attached file(s) is
    confidential/privileged and is only intended for the person to whom it is
    addressed. If the reader of this message is not the intended recipient or
    the employee or agent responsible for delivering the message to the intended
    recipient, or you have received this communication in error, please be aware
    that any dissemination, distribution or duplication is strictly prohibited,
    and can be illegal. Please notify us immediately and delete all copies from
    your mailbox and other archives. For any further information please contact
    our Company at the following email address: privacy@technomind.it.
    ________________________________

     

    > -----Messaggio originale-----
    > Da: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
    > Inviato: mercoledì 31 agosto 2005 8.27
    > A: focus-ms@securityfocus.com
    > Oggetto: Active Directory password external use
    >
    > Hello list,
    >
    > I am currently doing a project that requires using the Active
    > Directory users' password for other purposes other than just
    > workstation logon or share access.
    >
    > What I would need to do is detect password change / reset
    > events on the domain, capture the new password and send it to
    > another application. This could be done with an agent or
    > daemon running on the DC machine.
    >
    > The question is, when a users' password is changed /
    > resetted, is it possible to externally capture this event and
    > make use of the password before it is stored in a
    > non-reversible format inside the active dir.?
    >
    > What security implications would this have, and what security
    > measures would you propose for such an agent?
    >
    > Thanks in advance for your help and best regards, Rodrigo.
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >
    >

    • application/x-pkcs7-signature attachment: smime.p7s
  • Next message: Brady McClenon: "RE: Group Policy: multiple password policies in the same domain?"

    Relevant Pages

    • R: Active Directory password external use
      ... as far as now I had some applications I wanted to make work with AD ... authentication to simplify user's day by day work. ... are many programs supporting Active Directory authentication, ... Le informazioni contenute in questo messaggio sono riservate e ...
      (Focus-Microsoft)
    • Re: Provide grouped security
      ... That depends largely on what what user storage schemes you can support and ... what kind of authentication you wish to use for your site. ... want to store your users in Active Directory, then go ahead and do so. ... applications and simply configure the authorization elements for each ...
      (microsoft.public.dotnet.security)
    • Re: Login to a different domain from ASP.NET application
      ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... I've got a problem with the authentication of my ASP.NET application. ... The trusted relationship are in both sides (from NT domain to ... into the NT domain (the application runs on the Active Directory ...
      (microsoft.public.dotnet.security)
    • RE: FormsAuthentication ReturnUrl - need it to be Absolute
      ... I understand you have multiple ASP.NET applications ... which are using forms authentication to protect the application. ... the forms authentication cookie across multiple applications, ... If the forms authentication cross site support doesn't suit your scenario. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Active Directory authorization
      ... AD should be fine as a source for authentication for your web service. ... The easiest way to use AD for authentication is to just use the transport layer authentication schemes built in to IIS. ... For app level authorization, I'd suggest checking out Microsoft's Authorization Manager framework. ... every applications. ...
      (microsoft.public.windows.server.active_directory)