Re: Is it possible to authenticate a user against an untrusted dom

On Aug 11, 5:34 am, Raj Sidhu <RajSi...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Interesting, thanks for tha code.

I get the same error as  you however, reading around it seems you may need a
certificate?

Anyway I don't have this option, so the original question still stands.

Using SSPI or otherwise, does anyone know if it's possible to authenticate a
user against an untrusted domain.

Creating a trust relationship is out of the question, as is creating a
certificate if it means modifying the original domain in any way (including
administration of any kind).

To validate the U/P you can perform an LDAP bind. To get the domain
groups for the user (which is the only that makes context sense
anyway) you can do an LDAP query for the user and retrieve tokenGroups
attribute.

SSPI will also work but you'd have to put code on the untrusted
domain. That may or may not be possible. Ping me offline and I can
give send you working code if that would help.

Another thing to look at is Federating your application. Microsoft
will soon be releasing a new version of Active Directory Federation
Services (ADFS). ADFS is specifically designed to solve the whole "I
want to authenticate but I don't want a Windows trust" problem. The
functionality of ADFS is similiar to what you would get if you went
the LDAP or SSPI route, but many things are done for you and there is
MUCH better control over credential usage. For example if I was a
Security Architect where you are working on your project I would tell
you that you are not allowed to prompt a user for domain credentials.
Doing so violates a fair number of reasonable security policies. With
ADFS the authentication will be routed to a trusted server (the ADFS
box) in the infrastructure and then the appropriate token information
is provided to the server.

HTH,
Dave
.

Relevant Pages

  • Re: USE of ADFS
    ... It sounds like your current LDAP authentication mechanism is flawed as it ... All domains in the forest trust each other. ... I don't know if ADFS would really help you here or not. ... primarily intended when you need to authenticate users in multiple identity ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS and Sharepoint Issue
    ... and BAM ASP.NET 2.0 error message for a rejected certificate hash. ... So ADFS REJECTS the token, ... The problem is, I go through all of my redirects, I reach all of teh ADFS ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS authentication to provide federated access for a remote user on the internet
    ... access a portal or sharepoint site being hosted on the account domain. ... since they have an active session on a web resource ... Is this something ADFS is supposed to allow one to do? ... I am prompted to authenticate myself against the Account ...
    (microsoft.public.windows.server.active_directory)
  • Re: USE of ADFS
    ... but have users in y domain, you cannot authenticate users from y domain ... unless you specify that domains ldap server. ... All domains in the forest trust each other. ... I don't know if ADFS would really help you here or not. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS and Certificate Services
    ... ADFS is not really related to becoming a certificate vendor. ... but it won't help you with requesting or issuing certs. ...
    (microsoft.public.windows.server.active_directory)