Re: Mixing authentication type flags & By design Bug from MS ?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/27/04
- Next message: Nate A: "Re: general concerns regarding hacking of .NET assemblies"
- Previous message: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- In reply to: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Oct 2004 13:28:35 -0500
Sorry I haven't replied. I tried to spend some time duplicating this and
couldn't. I've not seen behavior where you specify credentials, but those
credentials aren't used.
Can you post the code that is behaving this way when using SSL bind to do
the password change?
Also, what is the server OS and what version of .NET are you running
(including SPs)?
Thanks!
Joe K.
"SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
news:Oo11wDFvEHA.1988@TK2MSFTNGP12.phx.gbl...
> Just to let you know that we went back to SSL since we haven't found any
> solution for this issue.
> We've been able to test that on many domain. Same problem : as soon as
> the invoke(SetPassword | ChangePassword) is called, the current logged
> user's credential is used to do the job.
> If it happened that the user is member of Domain Admin then the job gets
> done, if not an exception is thrown.
>
> For short, we were trying to use Signing and Sealing with the Secure flag.
>
>
>
> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
> news:%23z5UdEFuEHA.224@TK2MSFTNGP15.phx.gbl...
>> Joe, here's more code to look at!!! =)
>>
>> public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
>> string pwd)
>>
>> {
>> AuthenticationTypes AuthTypes; // Authentication flags
>>
>> // these flags works but uses the logged user's credentials if in
>> // Administrators group when it's time to set or change password of
>> // newly created user.
>> //AuthTypes = AuthenticationTypes.Signing | AuthenticationTypes.Sealing |
>> AuthenticationTypes.Secure;
>>
>> // this flag works
>> // AuthTypes = AuthenticationTypes.SecureSocketLayer;
>>
>> // this flag works as well
>> AuthTypes = AuthenticationTypes.Secure;
>>
>> // adsPath, usr, pwd arguments are replaced for this example purpose
>> DirectoryEntry root = new
>> DirectoryEntry("LDAP://server-dc.2k3domain-dev.ca/OU=IDUL,OU-ACCOUNTS,,DC=2k3domain-dev,DC=ca",
>> "AccountManager", "SecretSecret", AuthTypes);
>>
>> return (root);
>> }
>>
>> ==============================================
>> // We got the DirectoryEntry (root) now we use it to create a user
>> // root is the parameter that is important for now.
>>
>> string code = Creer(root, idul, noDossier, prenom, nom);
>>
>> ==============================================
>>
>> public static string Creer(DirectoryEntry root, string idul, string
>> noDossier, string prenom, string nom)
>>
>> {
>> try
>> {
>> DirectoryEntry user = root.Children.Add("cn=" + idul, "user");
>> user.Properties["sAMAccountName"].Add(idul);
>> user.CommitChanges();
>>
>> user.Properties["givenName"].Add(prenom);
>> user.Properties["sn"].Add(nom);
>> user.Properties["displayName"].Add(prenom + " " + nom);
>> user.Properties["employeeID"].Add(noDossier);
>> user.Properties["userPrincipalName"].Add(idul + "@" +
>> Ldap.Domain());
>>
>> // Ah ha! Here's the one that doesn't like Signing and Sealing
>> flags
>> user.Invoke("SetPassword", new
>> object[]{General.Texte.Decode("3Rt5iwS992Lqw1pK87=")});
>>
>> user.Properties["pwdLastSet"].Value = 0;
>>
>> int val = (int) user.Properties["userAccountControl"].Value;
>>
>> user.Properties["userAccountControl"].Value = val & (int)
>> ~ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE;
>>
>> IADsSecurityDescriptor sd = (IADsSecurityDescriptor)
>> user.Properties["ntSecurityDescriptor"].Value;
>> IADsAccessControlList acl = (IADsAccessControlList)
>> sd.DiscretionaryAcl;
>> IADsAccessControlList new_acl = (IADsAccessControlList)
>> acl.CopyAccessList();
>>
>>
>> foreach(AccessControlEntry ace in (IEnumerable) new_acl)
>> {
>> new_acl.RemoveAce(ace);
>> }
>>
>>
>> string[] trustees = new string[]{@"NT AUTHORITY\SELF","EVERYONE"};
>>
>>
>> foreach(string trustee in trustees)
>> {
>> IADsAccessControlEntry ace = new
>> AccessControlEntryClass();
>> ace.Trustee = trustee;
>> ace.AceFlags = 0;
>> ace.AceType = (int)
>> ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT;
>> ace.Flags = (int)
>> ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
>> ace.ObjectType = PASSWORD_GUID;
>> ace.AccessMask = (int)
>> ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CONTROL_ACCESS;
>> new_acl.AddAce(ace);
>> }
>>
>>
>> sd.DiscretionaryAcl = new_acl;
>> user.Properties["ntSecurityDescriptor"].Value = sd;
>>
>> user.CommitChanges();
>>
>>
>> }
>>
>> catch(LdapException)
>> {
>> ... lots of skiped code
>> }
>>
>> return "00000000 Idul.Creer: création " + idul + " réussi";
>>
>> }
>>
>> Hope it is enough!
>>
>> Have a great weekend Joe!
>> Take care of the ones you love!
>>
>> Sly
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:OqmDSVEuEHA.2608@TK2MSFTNGP10.phx.gbl...
>>
>>> Sorry, but I'm still a little confused. Can you show some specific
>>> examples for what you are using for adsPath, user and flags? I don't
>>> need real values, but I'd like to see your binding strings and username
>>> formats.
>>>
>>> I'm not sure if this is relevant due to me being confused, but remember
>>> that in general, you need to have the "Force change password" permission
>>> to call SetPassword and the "change password" permission to call
>>> ChangePassword. Normally, a user has the rights to call ChangePassword
>>> on his own object and can't call SetPassword. Typicially, domain admins
>>> and acount operators have the rights to call SetPassword on other
>>> objects, although that right can be delegated.
>>>
>>> I'm glad SetPassword and ChangePassword at least work for you.
>>> Normally, that is the thing people can't get to work.
>>>
>>> Also, the SSL bind will encrypt all the traffic, so that is a viable
>>> option if you can't get Kerberos signing/sealing to work. One other
>>> thing--what OS is the S.DS coding executing under?
>>>
>>> Thanks!
>>>
>>> Joe K.
>>>
>>> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
>>> news:uprMVCDuEHA.2000@TK2MSFTNGP14.phx.gbl...
>>>> Hey Joe !! ;)
>>>>
>>>> The job gets done with either one ...
>>>> Our problem is that when I try to use AuthenticationTypes.Secure
>>>> with any other flags, the SetPassword or ChangePassword is done
>>>> by DOMAIN\Administrator instead of the user we specify as
>>>> parameters ... (usr in this case)
>>>>
>>>> DirectoryEntry root = new DirectoryEntry("LDAP://" + adsPath, usr, pwd,
>>>> AuthTypes);
>>>>
>>>> In fact, Domain\Administrator is the logged user. If I log as a user
>>>> NOT in DomainAdministrators, neither SetPassword
>>>> nor ChangePassword work.
>>>>
>>>> I wanted to use Signing and Sealing because of sensitive data.
>>>> Secure only won't encrypt data, just authentication ... Right?
>>>>
>>>> Cheers,
>>>>
>>>> Sly
>>>>
>>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>>> wrote in message news:ugSgyg7tEHA.1292@TK2MSFTNGP10.phx.gbl...
>>>>>I think I follow what you are saying. Is the issue with SetPassword
>>>>>and ChangePassword not working or are your secure binds to AD failing?
>>>>>
>>>>> The thing to know about SetPassword is that it tries to use and
>>>>> SSL/LDAP call under the hood as its first approach, then fails to a
>>>>> Kerberos call, then fails to NetUserSetInfo. ChangePassword does the
>>>>> same except that it doesn't use Kerberos and skips right to
>>>>> NetUserChangePassword.
>>>>>
>>>>> Generally, people have the best luck using SSL for managing passwords
>>>>> in my experience, especially in .NET apps and ASP.NET in particular.
>>>>>
>>>>> There is a trick you can do to set the password directly using a
>>>>> secure, encrypted (Windows, not SSL) bind and updating unicodePwd
>>>>> directly, but I haven't figured out how to get this to work with
>>>>> ChangePassword as ADSI doesn't seem to be able to create the correct
>>>>> LDAP mod structure.
>>>>>
>>>>> BTW, if you want to know for sure you got a Kerberos bind to AD and
>>>>> not NTLM, add the Delegation flag to your AuthenticationTypes.
>>>>>
>>>>> HTH,
>>>>>
>>>>> Joe K.
>>>>>
>>>>> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
>>>>> news:eFcP9o6tEHA.3984@TK2MSFTNGP09.phx.gbl...
>>>>>> Good day Ladies, Gentlemen,
>>>>>>
>>>>>> Help needed or confirmation that it's a designed "feature" !
>>>>>>
>>>>>> We have a strange situation here.
>>>>>>
>>>>>> We once were using AuthenticationTypes.SecureSocketsLayer as in :
>>>>>> __________________________
>>>>>> public static DirectoryEntry SecureConnectDC(string adsPath, string
>>>>>> usr, string pwd)
>>>>>> {
>>>>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>>>>> pwd, AuthenticationTypes.SecureSocketLayer);
>>>>>> return (root);
>>>>>> }But we would like to move up (!) to Kerberos Authentication ->
>>>>>> AuthenticationTypes.Secure.
>>>>>> -----------------------------------
>>>>>>
>>>>>> As describe in MSDN Libraries :
>>>>>>
>>>>>> "The Secure flag can be used in combination with other flags such as
>>>>>> ReadonlyServer, FastBind, and so on."
>>>>>>
>>>>>> So I tried using this code :
>>>>>> __________________________
>>>>>> public static DirectoryEntry SecureConnectDC(string adsPath, string
>>>>>> usr, string pwd)
>>>>>> {
>>>>>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>>>>>> pwd, AuthenticationTypes.Signing | AuthenticationTypes.Secure |
>>>>>> AuthenticationTypes.Sealing);
>>>>>> return (root);
>>>>>> }
>>>>>> -----------------------------------
>>>>>>
>>>>>> Which is not working for us.
>>>>>>
>>>>>> With AuthenticationTypes..Secure | AuthenticationTypes..Sealing | etc
>>>>>>
>>>>>> Account Management Event ID 627 with User = ADMINISTRATOR
>>>>>>
>>>>>> With Only AuthenticationTypes..Secure :
>>>>>>
>>>>>> Account Management Event ID 627 with the correct user - the one that
>>>>>> we passed to our SecureConnectDC method
>>>>>> ____________________________
>>>>>> (more details is, we synchronise our Oracle users with AD and we have
>>>>>> to create accounts or change password securely.)
>>>>>>
>>>>>> Simply put, with Secure flag only it works but with combination of
>>>>>> any other flag - SetPassoord or ChangePassword method gets
>>>>>> Domain/Administrator credentials!
>>>>>>
>>>>>> Thank you for your time! Your precious time! So precious time.
>>>>>>
>>>>>> Sly
>>>>>> "I'm just an humble guy who's trying to save the world as we know
>>>>>> it!"
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Nate A: "Re: general concerns regarding hacking of .NET assemblies"
- Previous message: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- In reply to: SLY: "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
