Re: using xp credentials for ldap authentication
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Aug 2008 09:35:25 -0500
Normally, you don't implement Kerberos directly but instead implement the
Windows Negotiate protocol which selects between Kerberos and NTLM.
The details of how you would want to do this will depend on the programming
language you are using and the protocol. For example, at the sockets level
you typically use Microsoft's SSPI APIs
(InitializeSecurityContext/AcceptSecurityContext) and those are documented
in the Microsoft platform SDK. The PSDK samples are all C++. The .NET
framework provides sockets level SSPI support with the NegotiateStream class
which abstracts all the details away.
For higher level protocols like HTTP, SSPI is implemented by tunneling the
SSPI handshake over standard HTTP WWW-Authenticate/Authorization response
and request headers. This is deeply baked into Windows (enabled Integrated
Windows Authentication in IIS) and is supported by IE and FireFox to some
extent. Many programmatic HTTP clients will do IWA auth (.NET
HttpWebRequest + ASMX stack + WCF stack, WinHTTP, WinInet, etc.)
automatically. There are also libraries for other platforms to support the
client and server side of this.
So, I think the bottom line is to do some additional research and try to
wrap your head around how this all works.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michel777" <Michel777@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:142152E2-5B63-4E62-8A38-1F20A36655DB@xxxxxxxxxxxxxxxx
The very last question: is there any tutorials, examples how to do it ?
especially how to get the ticket from xp and how to handle with it ?
"Joe Kaplan" wrote:
The solution Brian suggested, using Kerberos, is available on either
platform. It just depends on having code available to support Kerberos.
There are plenty of options in .NET and other APIs. There are also Java
Kerb stacks that can do this.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michel777" <Michel777@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F1784FF6-2BC5-4911-AEA3-3D9E26A86936@xxxxxxxxxxxxxxxx
P.S: would be there a solution / workaround if the server would be
running
on
windows server ?
"Michel777" wrote:
Dear Joe and Brian,
thanks a lot for your fast responses !
Warm regards,
Michel
"Joe Kaplan" wrote:
Ok, so what you want to do is pass something other than the
plaintext
password into this method and have the server use that data to
authenticate
against AD? The answer is no, especially if you plan to use LDAP as
the
authentication mechanism. All the supported LDAP auth mechanisms
require
plaintext creds.
What you really want is what Brian Komar suggested (Kerberos), but
it
would
need to be modified to support that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michel777" <Michel777@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:51B8CB04-3D70-483A-94E2-F7395E68083C@xxxxxxxxxxxxxxxx
There is an API using own authetication. Written in java or .NET
(depending
on wich operating system the server runs). The product is MobiLink
Server:
"Create a class called MobiLinkAuth using Java or .NET.
The MobiLinkAuth class includes the authenticateUser method used
for
the
authenticate_user synchronization event. The authenticate_user
event
provides
parameters for the user and password. You return the
authentication
result
in
the authentication_status inout parameter."
import ianywhere.ml.script.*;
public class MobiLinkAuth
{
public void authenticateUser (
ianywhere.ml.script.InOutInteger authentication_status,
String user,
String pwd,
String newPwd )
{
// to do...
}
}
"Joe Kaplan" wrote:
What authentication protocol(s) does the server application
support?
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michel777" <Michel777@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:D6561EFB-0698-4D88-BE83-84D04407D59F@xxxxxxxxxxxxxxxx
Scenario:
the windows xp user has autheticated againts a nt-domain
(active
diectory)
with credentials xpuser / xppassword. a java application
running
on
this
xp
box will access a server application located on unix. this
server
wants
authenticate the xpuser againts active directory.
Question:
is it possible to use the xppasword (cached in hash form in the
registry)
for that authenticateion ? If not is there any other way to
avoid
requiring
to type the password (xppasword) by xpuser ?
.
- References:
- using xp credentials for ldap authentication
- From: Michel777
- Re: using xp credentials for ldap authentication
- From: Joe Kaplan
- Re: using xp credentials for ldap authentication
- From: Michel777
- Re: using xp credentials for ldap authentication
- From: Joe Kaplan
- Re: using xp credentials for ldap authentication
- From: Michel777
- Re: using xp credentials for ldap authentication
- From: Michel777
- Re: using xp credentials for ldap authentication
- From: Joe Kaplan
- Re: using xp credentials for ldap authentication
- From: Michel777
- using xp credentials for ldap authentication
- Prev by Date: Re: using xp credentials for ldap authentication
- Next by Date: Re: using xp credentials for ldap authentication
- Previous by thread: Re: using xp credentials for ldap authentication
- Next by thread: Re: using xp credentials for ldap authentication
- Index(es):
Relevant Pages
|
