Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/31/04
- Next message: Ken Schaefer: "Re: Question about windows integrated security"
- Previous message: Hernan de Lahitte: "Re: Illegal to mix Authentication methods ?"
- In reply to: Bill Belliveau: "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jan 2004 22:19:26 -0600
It is something like that. If you bind with the LDAP provider and specify
credentials, the method for exchanging credentials with the server is
determined by the AuthenticationTypes flags you pass in. If you use
AuthenticationTypes.Secure, the negotiate protocol is used (Kerberos or
NTLM). Your credentials are not passed in plain text. If you don't specify
Secure, then they are passed in plain text unless you specify
SecureSocketsLayer, in which case SSL/TLS is used for all LDAP traffic
(assuming the server has a valid cert and SSL can be negotiated).
I'd suggest using AuthenticationTypes.Secure always when binding to AD and
passing credentials.
With ADAM, you may wish to configure SSL to make sure that you can protect
credentials. You can still use Secure binding with Windows accounts in ADAM
(through userProxy objects) since those are just passed on to AD. I'm not
yet quite sure how it works with ADAM users.
Joe K.
"Bill Belliveau" <anonymous@discussions.microsoft.com> wrote in message
news:10C8465F-B490-4C90-9834-45CE12F88CAC@microsoft.com...
> After kicking this around for a few days the only thing I'm wondering
about is security. When calling DirectoryEntry(path, username, password)
does it access resources in a secure context? I assume it probably does
something like LogonUser, get a token and then accesses the directory.
Although as I'm finding out with ADAM, when using a userProxy object user
credentials are sent plain text.
>
> In anycase, I think we've concluded that given the state of the project
LogonUser is going to be more viable to impliment at this point.
>
> Bill
>
> ----- Joe Kaplan (MVP - ADSI) wrote: -----
>
> This is an interesting question that I think can only be answered
with
> testing. I'm not sure it makes any difference at all if you are
using
> AuthenticationTypes.Secure, but it would be interesting to know.
>
> There are a few things to know though:
> The underlying ADSI layer will use a cached handle to the directory
if an
> open object exists in memory with the server, credentials and flags.
> Therefore, if you are doing a lot of binds with the same credentials,
it
> might make sense to try to hang on to a root object for that user
until they
> are finished. This is detailed somewhat here:
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/connection_caching.asp?frame=true
>
> One the other hand, if you are doing just a few binds for each user,
I would
> be surprised if it makes an difference.
>
> My instinct is to use the user's credentials if you have them as I
have
> found it to be much easier to debug problems in that situation
because it
> eliminates a big variable. That is what I have done in many of my .
NET AD
> apps.
>
> Joe K.
- Next message: Ken Schaefer: "Re: Question about windows integrated security"
- Previous message: Hernan de Lahitte: "Re: Illegal to mix Authentication methods ?"
- In reply to: Bill Belliveau: "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
