Re: Authorization Manager Problem

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Nov 2006 18:35:09 -0600

You may also need to enable anonymous searches in general in AD. This is
not allowed by default in AD 2003. Thus, even if you ACL certain objects to
allow anonymous access, AD will fail the operation when you try to do any
search at all if you haven't executed a bind.

If you want to try changing this, there is a flag on dsHeuristics (#7) you
need to set. If it were my AD, I wouldn't do that though, as it weakens the
security of the whole directory.

It may also be the case the AzMan doesn't know how to do an anonymous LDAP
query in the first place and always attempts to bind with the current
security context, in which case you are kind of screwed, since that isn't a
domain account. I'm not sure about that though as I'm not an AzMan expert.

I hope you find a solution.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Peter Sahl" <PeterSahl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5392C56B-B86A-43BA-8896-C5BCCFC046E7@xxxxxxxxxxxxxxxx

Hi.

I have a scenario where I am using Azman, with the store in an Active
Directory Domain controller. I have assigned "Anonymous logon" as a
AzMan-reader.

I can easily connect to the store using the .net interop, from within the
domain. However I can't connect from a (non-domain) IIS in the DMZ, even
though I've allowed anonymous access to the store. It's not a networking
problem, as I get an errormessage from the Domain Controller, saying that
the
supplied password is inccorect, even though I haven't supplied a password,
nor have any way of doing it.

Is it possible to connect to an AD-backed AzMan-store from a non-domain
server?

/Peter

Prev by Date: Re: Is there a limit to number record returned from AD serach to a dat
Next by Date: permission problems
Previous by thread: Re: Is there a limit to number record returned from AD serach to a dat
Next by thread: permission problems
Index(es):
- Date
- Thread

Relevant Pages

Re: Encountered errors while running Exmerge. Please Help!
... There is no local administrators group on a domain controller. ... Send AS and Receive As right to the group over the Exchange store object ...
(microsoft.public.exchange.admin)
Re: Event ID 623
... Event Source: NTDS ISAM ... The version store for this instance has reached its ... Event Source: NTDS SDPROP ... Restart this domain controller. ...
(microsoft.public.windows.server.active_directory)
Re: Adam authentication logon workstation in the domain
... You can have ADAM do a one-way sync with active directory to act as an LDAP ... Read only domain controller in Windows Server 2008 might ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... i want to provide authentication service ...
(microsoft.public.windows.server.active_directory)
Event ID 623
... preventing cleanup of the version store and causing it to build up in size. ... see Help and Support Center at ... The security descriptor propagation task encountered an ... controller with changes received from the following source domain controller. ...
(microsoft.public.windows.server.active_directory)
Re: Sync AD with System.DirectoryServices
... passwords in a different store as AD or ADAM does. ... I think you might be better off considering creating a disaster ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I can easily get all the user data I need from this using ...
(microsoft.public.windows.server.active_directory)