Re: Mixing authentication type flags & By design Bug from MS ?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/22/04
- Next message: dsellers: "HELP:: Assembly Reference Security"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Accessing Directory Services from a SharePoint Web Part"
- In reply to: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 09:42:12 -0500
Sorry, but I'm still a little confused. Can you show some specific examples
for what you are using for adsPath, user and flags? I don't need real
values, but I'd like to see your binding strings and username formats.
I'm not sure if this is relevant due to me being confused, but remember that
in general, you need to have the "Force change password" permission to call
SetPassword and the "change password" permission to call ChangePassword.
Normally, a user has the rights to call ChangePassword on his own object and
can't call SetPassword. Typicially, domain admins and acount operators have
the rights to call SetPassword on other objects, although that right can be
delegated.
I'm glad SetPassword and ChangePassword at least work for you. Normally,
that is the thing people can't get to work.
Also, the SSL bind will encrypt all the traffic, so that is a viable option
if you can't get Kerberos signing/sealing to work. One other thing--what OS
is the S.DS coding executing under?
Thanks!
Joe K.
"SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
news:uprMVCDuEHA.2000@TK2MSFTNGP14.phx.gbl...
> Hey Joe !! ;)
>
> The job gets done with either one ...
> Our problem is that when I try to use AuthenticationTypes.Secure
> with any other flags, the SetPassword or ChangePassword is done
> by DOMAIN\Administrator instead of the user we specify as
> parameters ... (usr in this case)
>
> DirectoryEntry root = new DirectoryEntry("LDAP://" + adsPath, usr, pwd,
> AuthTypes);
>
> In fact, Domain\Administrator is the logged user. If I log as a user
> NOT in DomainAdministrators, neither SetPassword
> nor ChangePassword work.
>
> I wanted to use Signing and Sealing because of sensitive data.
> Secure only won't encrypt data, just authentication ... Right?
>
> Cheers,
>
> Sly
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:ugSgyg7tEHA.1292@TK2MSFTNGP10.phx.gbl...
>>I think I follow what you are saying. Is the issue with SetPassword and
>>ChangePassword not working or are your secure binds to AD failing?
>>
>> The thing to know about SetPassword is that it tries to use and SSL/LDAP
>> call under the hood as its first approach, then fails to a Kerberos call,
>> then fails to NetUserSetInfo. ChangePassword does the same except that
>> it doesn't use Kerberos and skips right to NetUserChangePassword.
>>
>> Generally, people have the best luck using SSL for managing passwords in
>> my experience, especially in .NET apps and ASP.NET in particular.
>>
>> There is a trick you can do to set the password directly using a secure,
>> encrypted (Windows, not SSL) bind and updating unicodePwd directly, but I
>> haven't figured out how to get this to work with ChangePassword as ADSI
>> doesn't seem to be able to create the correct LDAP mod structure.
>>
>> BTW, if you want to know for sure you got a Kerberos bind to AD and not
>> NTLM, add the Delegation flag to your AuthenticationTypes.
>>
>> HTH,
>>
>> Joe K.
>>
>> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
>> news:eFcP9o6tEHA.3984@TK2MSFTNGP09.phx.gbl...
>>> Good day Ladies, Gentlemen,
>>>
>>> Help needed or confirmation that it's a designed "feature" !
>>>
>>> We have a strange situation here.
>>>
>>> We once were using AuthenticationTypes.SecureSocketsLayer as in :
>>> __________________________
>>> public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
>>> string pwd)
>>> {
>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>> pwd, AuthenticationTypes.SecureSocketLayer);
>>> return (root);
>>> }But we would like to move up (!) to Kerberos Authentication ->
>>> AuthenticationTypes.Secure.
>>> -----------------------------------
>>>
>>> As describe in MSDN Libraries :
>>>
>>> "The Secure flag can be used in combination with other flags such as
>>> ReadonlyServer, FastBind, and so on."
>>>
>>> So I tried using this code :
>>> __________________________
>>> public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
>>> string pwd)
>>> {
>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>> pwd, AuthenticationTypes.Signing | AuthenticationTypes.Secure |
>>> AuthenticationTypes.Sealing);
>>> return (root);
>>> }
>>> -----------------------------------
>>>
>>> Which is not working for us.
>>>
>>> With AuthenticationTypes..Secure | AuthenticationTypes..Sealing | etc
>>>
>>> Account Management Event ID 627 with User = ADMINISTRATOR
>>>
>>> With Only AuthenticationTypes..Secure :
>>>
>>> Account Management Event ID 627 with the correct user - the one that we
>>> passed to our SecureConnectDC method
>>> ____________________________
>>> (more details is, we synchronise our Oracle users with AD and we have to
>>> create accounts or change password securely.)
>>>
>>> Simply put, with Secure flag only it works but with combination of any
>>> other flag - SetPassoord or ChangePassword method gets
>>> Domain/Administrator credentials!
>>>
>>> Thank you for your time! Your precious time! So precious time.
>>>
>>> Sly
>>> "I'm just an humble guy who's trying to save the world as we know it!"
>>>
>>
>>
>
>
- Next message: dsellers: "HELP:: Assembly Reference Security"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Accessing Directory Services from a SharePoint Web Part"
- In reply to: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
