Re: Mixing authentication type flags & By design Bug from MS ?
From: SLY (I_dont_need_your_Sp_at_mdot.com)
Date: 10/22/04
- Next message: Nicole Calinoiu: "Re: What does the "Application Domain Policy Level" mean?"
- Previous message: Nicole Calinoiu: "Re: Remoting from a control hosted in IE"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 12:06:38 -0400
Joe, here's more code to look at!!! =)
public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
string pwd)
{
AuthenticationTypes AuthTypes; // Authentication flags
// these flags works but uses the logged user's credentials if in
// Administrators group when it's time to set or change password of
// newly created user.
//AuthTypes = AuthenticationTypes.Signing | AuthenticationTypes.Sealing |
AuthenticationTypes.Secure;
// this flag works
// AuthTypes = AuthenticationTypes.SecureSocketLayer;
// this flag works as well
AuthTypes = AuthenticationTypes.Secure;
// adsPath, usr, pwd arguments are replaced for this example purpose
DirectoryEntry root = new
DirectoryEntry("LDAP://server-dc.2k3domain-dev.ca/OU=IDUL,OU-ACCOUNTS,,DC=2k3domain-dev,DC=ca",
"AccountManager", "SecretSecret", AuthTypes);
return (root);
}
==============================================
// We got the DirectoryEntry (root) now we use it to create a user
// root is the parameter that is important for now.
string code = Creer(root, idul, noDossier, prenom, nom);
==============================================
public static string Creer(DirectoryEntry root, string idul, string
noDossier, string prenom, string nom)
{
try
{
DirectoryEntry user = root.Children.Add("cn=" + idul, "user");
user.Properties["sAMAccountName"].Add(idul);
user.CommitChanges();
user.Properties["givenName"].Add(prenom);
user.Properties["sn"].Add(nom);
user.Properties["displayName"].Add(prenom + " " + nom);
user.Properties["employeeID"].Add(noDossier);
user.Properties["userPrincipalName"].Add(idul + "@" +
Ldap.Domain());
// Ah ha! Here's the one that doesn't like Signing and Sealing
flags
user.Invoke("SetPassword", new
object[]{General.Texte.Decode("3Rt5iwS992Lqw1pK87=")});
user.Properties["pwdLastSet"].Value = 0;
int val = (int) user.Properties["userAccountControl"].Value;
user.Properties["userAccountControl"].Value = val & (int)
~ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE;
IADsSecurityDescriptor sd = (IADsSecurityDescriptor)
user.Properties["ntSecurityDescriptor"].Value;
IADsAccessControlList acl = (IADsAccessControlList)
sd.DiscretionaryAcl;
IADsAccessControlList new_acl = (IADsAccessControlList)
acl.CopyAccessList();
foreach(AccessControlEntry ace in (IEnumerable) new_acl)
{
new_acl.RemoveAce(ace);
}
string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
foreach(string trustee in trustees)
{
IADsAccessControlEntry ace = new AccessControlEntryClass();
ace.Trustee = trustee;
ace.AceFlags = 0;
ace.AceType = (int)
ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
ace.Flags = (int)
ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = PASSWORD_GUID;
ace.AccessMask = (int)
ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
new_acl.AddAce(ace);
}
sd.DiscretionaryAcl = new_acl;
user.Properties["ntSecurityDescriptor"].Value = sd;
user.CommitChanges();
}
catch(LdapException)
{
... lots of skiped code
}
return "00000000 Idul.Creer: création " + idul + " réussi";
}
Hope it is enough!
Have a great weekend Joe!
Take care of the ones you love!
Sly
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OqmDSVEuEHA.2608@TK2MSFTNGP10.phx.gbl...
> Sorry, but I'm still a little confused. Can you show some specific
> examples for what you are using for adsPath, user and flags? I don't need
> real values, but I'd like to see your binding strings and username
> formats.
>
> I'm not sure if this is relevant due to me being confused, but remember
> that in general, you need to have the "Force change password" permission
> to call SetPassword and the "change password" permission to call
> ChangePassword. Normally, a user has the rights to call ChangePassword on
> his own object and can't call SetPassword. Typicially, domain admins and
> acount operators have the rights to call SetPassword on other objects,
> although that right can be delegated.
>
> I'm glad SetPassword and ChangePassword at least work for you. Normally,
> that is the thing people can't get to work.
>
> Also, the SSL bind will encrypt all the traffic, so that is a viable
> option if you can't get Kerberos signing/sealing to work. One other
> thing--what OS is the S.DS coding executing under?
>
> Thanks!
>
> Joe K.
>
> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
> news:uprMVCDuEHA.2000@TK2MSFTNGP14.phx.gbl...
>> Hey Joe !! ;)
>>
>> The job gets done with either one ...
>> Our problem is that when I try to use AuthenticationTypes.Secure
>> with any other flags, the SetPassword or ChangePassword is done
>> by DOMAIN\Administrator instead of the user we specify as
>> parameters ... (usr in this case)
>>
>> DirectoryEntry root = new DirectoryEntry("LDAP://" + adsPath, usr, pwd,
>> AuthTypes);
>>
>> In fact, Domain\Administrator is the logged user. If I log as a user
>> NOT in DomainAdministrators, neither SetPassword
>> nor ChangePassword work.
>>
>> I wanted to use Signing and Sealing because of sensitive data.
>> Secure only won't encrypt data, just authentication ... Right?
>>
>> Cheers,
>>
>> Sly
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:ugSgyg7tEHA.1292@TK2MSFTNGP10.phx.gbl...
>>>I think I follow what you are saying. Is the issue with SetPassword and
>>>ChangePassword not working or are your secure binds to AD failing?
>>>
>>> The thing to know about SetPassword is that it tries to use and SSL/LDAP
>>> call under the hood as its first approach, then fails to a Kerberos
>>> call, then fails to NetUserSetInfo. ChangePassword does the same except
>>> that it doesn't use Kerberos and skips right to NetUserChangePassword.
>>>
>>> Generally, people have the best luck using SSL for managing passwords in
>>> my experience, especially in .NET apps and ASP.NET in particular.
>>>
>>> There is a trick you can do to set the password directly using a secure,
>>> encrypted (Windows, not SSL) bind and updating unicodePwd directly, but
>>> I haven't figured out how to get this to work with ChangePassword as
>>> ADSI doesn't seem to be able to create the correct LDAP mod structure.
>>>
>>> BTW, if you want to know for sure you got a Kerberos bind to AD and not
>>> NTLM, add the Delegation flag to your AuthenticationTypes.
>>>
>>> HTH,
>>>
>>> Joe K.
>>>
>>> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
>>> news:eFcP9o6tEHA.3984@TK2MSFTNGP09.phx.gbl...
>>>> Good day Ladies, Gentlemen,
>>>>
>>>> Help needed or confirmation that it's a designed "feature" !
>>>>
>>>> We have a strange situation here.
>>>>
>>>> We once were using AuthenticationTypes.SecureSocketsLayer as in :
>>>> __________________________
>>>> public static DirectoryEntry SecureConnectDC(string adsPath, string
>>>> usr, string pwd)
>>>> {
>>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>>> pwd, AuthenticationTypes.SecureSocketLayer);
>>>> return (root);
>>>> }But we would like to move up (!) to Kerberos Authentication ->
>>>> AuthenticationTypes.Secure.
>>>> -----------------------------------
>>>>
>>>> As describe in MSDN Libraries :
>>>>
>>>> "The Secure flag can be used in combination with other flags such as
>>>> ReadonlyServer, FastBind, and so on."
>>>>
>>>> So I tried using this code :
>>>> __________________________
>>>> public static DirectoryEntry SecureConnectDC(string adsPath, string
>>>> usr, string pwd)
>>>> {
>>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>>> pwd, AuthenticationTypes.Signing | AuthenticationTypes.Secure |
>>>> AuthenticationTypes.Sealing);
>>>> return (root);
>>>> }
>>>> -----------------------------------
>>>>
>>>> Which is not working for us.
>>>>
>>>> With AuthenticationTypes..Secure | AuthenticationTypes..Sealing | etc
>>>>
>>>> Account Management Event ID 627 with User = ADMINISTRATOR
>>>>
>>>> With Only AuthenticationTypes..Secure :
>>>>
>>>> Account Management Event ID 627 with the correct user - the one that
>>>> we passed to our SecureConnectDC method
>>>> ____________________________
>>>> (more details is, we synchronise our Oracle users with AD and we have
>>>> to create accounts or change password securely.)
>>>>
>>>> Simply put, with Secure flag only it works but with combination of any
>>>> other flag - SetPassoord or ChangePassword method gets
>>>> Domain/Administrator credentials!
>>>>
>>>> Thank you for your time! Your precious time! So precious time.
>>>>
>>>> Sly
>>>> "I'm just an humble guy who's trying to save the world as we know it!"
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Nicole Calinoiu: "Re: What does the "Application Domain Policy Level" mean?"
- Previous message: Nicole Calinoiu: "Re: Remoting from a control hosted in IE"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
