Loading ...
Sorry, an error occurred while loading the content.

Re: [ADSI-DirSrv] Username Token Authentication against Active directory

Expand Messages
  • Joe Kaplan
    The best possible thing for real Windows/Active Directory users is to create your own custom derived UserNameTokenManager class that uses the LogonUser API or
    Message 1 of 7 , Sep 30, 2004
    • 0 Attachment
      The best possible thing for real Windows/Active Directory users is to create
      your own custom derived UserNameTokenManager class that uses the LogonUser
      API or the SSPI APIs to authenticate the user and create a real Windows
      login token for the user. From that, you can create a WindowsPrincipal
      object to use for your IPrincipal.

      However, with ADAM users, you can't use any of the Windows login protocols
      because ADAM users aren't Windows users. For ADAM, you must use LDAP to
      authenticate the user.

      In order to validate credentials with LDAP, you basically just need to bind
      to ADAM with the user's credentials. With S.DS, the easiest way to do this
      is to use the DirectoryEntry object to bind to RootDSE on ADAM with the
      user's username and password. You must use AuthenticationTypes.None or
      possibly AuthenticationTypes.SecureSocketsLayer. AuthenticationTypes.Secure
      and the other settings that require secure binding (sealing, signing,
      delegation) require a Windows login. This is one of the best reasons to get
      an SSL certificate for your ADAM instance because this allows you to protect
      plain text credentials on the network.

      If you need to look up groups for an ADAM user to build a more full features
      IPrincipal object, the RootDSE object exposes a tokenGroups attribute that
      allows you to get the SIDs of the groups the ADAM user is a memberOf. There
      is a trick you need to do in ADSI/S.DS to get this to work (must use the GC
      provider with the ADAM SSL port), but it works.

      Hopefully that gives you a basic outline.

      Joe K.

      ----- Original Message -----
      From: "Sumaira Ahmad" <sumaira_ahmad@...>
      To: <ADSIANDDirectoryServices@yahoogroups.com>
      Sent: Thursday, September 30, 2004 8:17 PM
      Subject: [ADSI-DirSrv] Username Token Authentication against Active
      directory


      > Hi,
      >
      > Can someone give me a head start on how to authenticate a
      > UsernameToken security token that is created in an ASP.NET
      > application using WSE 2.0 against Active directory.
      >
      > For instance, in my application on my user interface I enter the
      > username and password and I use that to create a username token and
      > send it to a web service.
      > Following that what is required at the web service end to match this
      > password with the same user's password stored in ADAM?? Can anyone
      > tell me??
      >
      > Do I first need to do a directorySearch for the user after
      > extracting the username from the token and do a compare of their
      > passwords.
      > But as far as I know the userPassword property is a write only
      > property and hence I am not able to access it or read it.It gives a
      > constraint violation when I try to do that.
      >
      > I also understand that the password needs to be sent as plain text
      > if required to be authenticated against active directory.
      >
      > Any kind of help will be highly appreciated.
      >
      > Thanks,
      > Sumaira
      >
      >
      >
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
      >
    • Sumaira Ahmad
      Thanks Joe for this email For some reasons and these messages dont show up for long in your mail boxes and hence I have been continuing to post messages to all
      Message 2 of 7 , Oct 1, 2004
      • 0 Attachment
        Thanks Joe for this email For some reasons and these messages dont
        show up for long in your mail boxes and hence I have been continuing
        to post messages to all possible groups to get my answer.

        I am a little confused here, considering the fact that I am new to
        all these microsoft technologies.

        So where do I write the code to connect to ADAM using LDAP S.DS. In
        the web service's UsernameTokenManager's AuthenticateToken method?
        That is the method i have used so far to return back the password of
        a user so that WSE can authenticate it against the password in the
        usernametoken. But that has to return back a password.

        So u mean to say I shud not use WSE to authenticate an ADAM User?

        Here is my scenario:
        I have created an ADAM user with distinguished name:
        CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
        and set a password for it.
        What should I use as my username in the user interface, and how to
        specify to LDAP that it has to check against that property to
        authenticate??? For instance if I use my userPrincipal name?

        Also in that case I will have to uncheck Integrated Windows
        Authentication and check Anonymous access??

        Sorry for all these basic questions but none is available on the
        internet.
        Thanks,
        Sumaira


        --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
        <joe@j...> wrote:
        > The best possible thing for real Windows/Active Directory users is
        to create
        > your own custom derived UserNameTokenManager class that uses the
        LogonUser
        > API or the SSPI APIs to authenticate the user and create a real
        Windows
        > login token for the user. From that, you can create a
        WindowsPrincipal
        > object to use for your IPrincipal.
        >
        > However, with ADAM users, you can't use any of the Windows login
        protocols
        > because ADAM users aren't Windows users. For ADAM, you must use
        LDAP to
        > authenticate the user.
        >
        > In order to validate credentials with LDAP, you basically just
        need to bind
        > to ADAM with the user's credentials. With S.DS, the easiest way
        to do this
        > is to use the DirectoryEntry object to bind to RootDSE on ADAM
        with the
        > user's username and password. You must use
        AuthenticationTypes.None or
        > possibly AuthenticationTypes.SecureSocketsLayer.
        AuthenticationTypes.Secure
        > and the other settings that require secure binding (sealing,
        signing,
        > delegation) require a Windows login. This is one of the best
        reasons to get
        > an SSL certificate for your ADAM instance because this allows you
        to protect
        > plain text credentials on the network.
        >
        > If you need to look up groups for an ADAM user to build a more
        full features
        > IPrincipal object, the RootDSE object exposes a tokenGroups
        attribute that
        > allows you to get the SIDs of the groups the ADAM user is a
        memberOf. There
        > is a trick you need to do in ADSI/S.DS to get this to work (must
        use the GC
        > provider with the ADAM SSL port), but it works.
        >
        > Hopefully that gives you a basic outline.
        >
        > Joe K.
        >
        > ----- Original Message -----
        > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
        > To: <ADSIANDDirectoryServices@yahoogroups.com>
        > Sent: Thursday, September 30, 2004 8:17 PM
        > Subject: [ADSI-DirSrv] Username Token Authentication against
        Active
        > directory
        >
        >
        > > Hi,
        > >
        > > Can someone give me a head start on how to authenticate a
        > > UsernameToken security token that is created in an ASP.NET
        > > application using WSE 2.0 against Active directory.
        > >
        > > For instance, in my application on my user interface I enter the
        > > username and password and I use that to create a username token
        and
        > > send it to a web service.
        > > Following that what is required at the web service end to match
        this
        > > password with the same user's password stored in ADAM?? Can
        anyone
        > > tell me??
        > >
        > > Do I first need to do a directorySearch for the user after
        > > extracting the username from the token and do a compare of their
        > > passwords.
        > > But as far as I know the userPassword property is a write only
        > > property and hence I am not able to access it or read it.It
        gives a
        > > constraint violation when I try to do that.
        > >
        > > I also understand that the password needs to be sent as plain
        text
        > > if required to be authenticated against active directory.
        > >
        > > Any kind of help will be highly appreciated.
        > >
        > > Thanks,
        > > Sumaira
        > >
        > >
        > >
        > >
        > >
        > >
        > > Yahoo! Groups Links
        > >
        > >
        > >
        > >
        > >
      • Sumaira Ahmad
        Hi Joe, I wanted to update you with the latest that I have accomplished following your email. I have implemented the following- I am able to enter as username
        Message 3 of 7 , Oct 3, 2004
        • 0 Attachment
          Hi Joe,
          I wanted to update you with the latest that I have accomplished
          following your email.
          I have implemented the following- I am able to enter as username
          the value for userPrincipalName and the corresponing password in the
          password TextBox, and using those credentials I am able to use LDAP
          authentication to authenticate the ADAM user.. ( never realized that
          LDAP DS also accepts userPrincipalName and a valid username).
          However I am able to only connect to rootDSE with that. Using those
          credentials I am not able to connect to my partition( can i know the
          reason for that?) However, I dont mind that, because my only aim is
          to authenticate the user and this code achieves that.
          Following is the code:
          DirectoryEntry objADAM; // Binding object.
          string strPath; // Binding path.

          // Construct the binding string.
          strPath = "LDAP://localhost:389/RootDSE";

          // Get ADAM object.
          try
          {
          objADAM = new DirectoryEntry
          (strPath,"MaryBaker", "ipsita", AuthenticationTypes.None);
          objADAM.RefreshCache();
          }
          catch (Exception e1)
          {
          Label2.Text = e1.ToString();
          return;
          }

          Now my only concern is, how to integrate it with UsernameToken in
          WSE 2.0 and where exactly to put the code. By default WSE 2.0 calls
          the UserNameTokenManager Class which calls VerifyToken method and I
          guess that calls the AuthenticateToken method. AuthenticateToken
          method returns back the password that it retrieves and compares
          with the Usernametoken password and hence authenticates the user.

          Can I please know how to override this default functionality?
          As you said I dont have to create a CustomTokenManager? In which
          case it will call the default one and expect AuthenticateToken to
          return a password.

          Basically in short, please tell me where to apply this code and how
          would it work.And please I may need some spoonfeeding since I hardly
          understand the working of it all..:-)..

          Please help me..I am highly frustrated and loosing sleep over it..
          Thank you so much,
          Sumaira

          --- In ADSIANDDirectoryServices@yahoogroups.com, "Sumaira Ahmad"
          <sumaira_ahmad@y...> wrote:
          > Thanks Joe for this email For some reasons and these messages dont
          > show up for long in your mail boxes and hence I have been
          continuing
          > to post messages to all possible groups to get my answer.
          >
          > I am a little confused here, considering the fact that I am new to
          > all these microsoft technologies.
          >
          > So where do I write the code to connect to ADAM using LDAP S.DS.
          In
          > the web service's UsernameTokenManager's AuthenticateToken method?
          > That is the method i have used so far to return back the password
          of
          > a user so that WSE can authenticate it against the password in the
          > usernametoken. But that has to return back a password.
          >
          > So u mean to say I shud not use WSE to authenticate an ADAM User?
          >
          > Here is my scenario:
          > I have created an ADAM user with distinguished name:
          > CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
          > and set a password for it.
          > What should I use as my username in the user interface, and how
          to
          > specify to LDAP that it has to check against that property to
          > authenticate??? For instance if I use my userPrincipal name?
          >
          > Also in that case I will have to uncheck Integrated Windows
          > Authentication and check Anonymous access??
          >
          > Sorry for all these basic questions but none is available on the
          > internet.
          > Thanks,
          > Sumaira
          >
          >
          > --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
          > <joe@j...> wrote:
          > > The best possible thing for real Windows/Active Directory users
          is
          > to create
          > > your own custom derived UserNameTokenManager class that uses the
          > LogonUser
          > > API or the SSPI APIs to authenticate the user and create a real
          > Windows
          > > login token for the user. From that, you can create a
          > WindowsPrincipal
          > > object to use for your IPrincipal.
          > >
          > > However, with ADAM users, you can't use any of the Windows login
          > protocols
          > > because ADAM users aren't Windows users. For ADAM, you must use
          > LDAP to
          > > authenticate the user.
          > >
          > > In order to validate credentials with LDAP, you basically just
          > need to bind
          > > to ADAM with the user's credentials. With S.DS, the easiest way
          > to do this
          > > is to use the DirectoryEntry object to bind to RootDSE on ADAM
          > with the
          > > user's username and password. You must use
          > AuthenticationTypes.None or
          > > possibly AuthenticationTypes.SecureSocketsLayer.
          > AuthenticationTypes.Secure
          > > and the other settings that require secure binding (sealing,
          > signing,
          > > delegation) require a Windows login. This is one of the best
          > reasons to get
          > > an SSL certificate for your ADAM instance because this allows
          you
          > to protect
          > > plain text credentials on the network.
          > >
          > > If you need to look up groups for an ADAM user to build a more
          > full features
          > > IPrincipal object, the RootDSE object exposes a tokenGroups
          > attribute that
          > > allows you to get the SIDs of the groups the ADAM user is a
          > memberOf. There
          > > is a trick you need to do in ADSI/S.DS to get this to work (must
          > use the GC
          > > provider with the ADAM SSL port), but it works.
          > >
          > > Hopefully that gives you a basic outline.
          > >
          > > Joe K.
          > >
          > > ----- Original Message -----
          > > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
          > > To: <ADSIANDDirectoryServices@yahoogroups.com>
          > > Sent: Thursday, September 30, 2004 8:17 PM
          > > Subject: [ADSI-DirSrv] Username Token Authentication against
          > Active
          > > directory
          > >
          > >
          > > > Hi,
          > > >
          > > > Can someone give me a head start on how to authenticate a
          > > > UsernameToken security token that is created in an ASP.NET
          > > > application using WSE 2.0 against Active directory.
          > > >
          > > > For instance, in my application on my user interface I enter
          the
          > > > username and password and I use that to create a username
          token
          > and
          > > > send it to a web service.
          > > > Following that what is required at the web service end to
          match
          > this
          > > > password with the same user's password stored in ADAM?? Can
          > anyone
          > > > tell me??
          > > >
          > > > Do I first need to do a directorySearch for the user after
          > > > extracting the username from the token and do a compare of
          their
          > > > passwords.
          > > > But as far as I know the userPassword property is a write only
          > > > property and hence I am not able to access it or read it.It
          > gives a
          > > > constraint violation when I try to do that.
          > > >
          > > > I also understand that the password needs to be sent as plain
          > text
          > > > if required to be authenticated against active directory.
          > > >
          > > > Any kind of help will be highly appreciated.
          > > >
          > > > Thanks,
          > > > Sumaira
          > > >
          > > >
          > > >
          > > >
          > > >
          > > >
          > > > Yahoo! Groups Links
          > > >
          > > >
          > > >
          > > >
          > > >
        • Joe Kaplan
          Is the ADAM user in the Readers role group in ADAM? By default, ADAM users don t have access to read any objects in a partition. Regarding the WSE 2.0
          Message 4 of 7 , Oct 3, 2004
          • 0 Attachment
            Is the ADAM user in the Readers role group in ADAM? By default, ADAM users
            don't have access to read any objects in a partition.

            Regarding the WSE 2.0 UserNameTokenManager, you definitely have to derive a
            class from the base class and override the appropriate message. I'm not
            sure how you configure WSE to know to instantiate your class to do the
            authentication, but I'm sure you do that via config. This month's MSDN
            magazine column by Adam Skonnard has a bunch of samples that walk you
            through the whole process. It should be online now or very shortly.

            Joe K.

            ----- Original Message -----
            From: "Sumaira Ahmad" <sumaira_ahmad@...>
            To: <ADSIANDDirectoryServices@yahoogroups.com>
            Sent: Sunday, October 03, 2004 3:30 PM
            Subject: Re: [ADSI-DirSrv] Username Token Authentication against Active
            directory


            >
            >
            > Hi Joe,
            > I wanted to update you with the latest that I have accomplished
            > following your email.
            > I have implemented the following- I am able to enter as username
            > the value for userPrincipalName and the corresponing password in the
            > password TextBox, and using those credentials I am able to use LDAP
            > authentication to authenticate the ADAM user.. ( never realized that
            > LDAP DS also accepts userPrincipalName and a valid username).
            > However I am able to only connect to rootDSE with that. Using those
            > credentials I am not able to connect to my partition( can i know the
            > reason for that?) However, I dont mind that, because my only aim is
            > to authenticate the user and this code achieves that.
            > Following is the code:
            > DirectoryEntry objADAM; // Binding object.
            > string strPath; // Binding path.
            >
            > // Construct the binding string.
            > strPath = "LDAP://localhost:389/RootDSE";
            >
            > // Get ADAM object.
            > try
            > {
            > objADAM = new DirectoryEntry
            > (strPath,"MaryBaker", "ipsita", AuthenticationTypes.None);
            > objADAM.RefreshCache();
            > }
            > catch (Exception e1)
            > {
            > Label2.Text = e1.ToString();
            > return;
            > }
            >
            > Now my only concern is, how to integrate it with UsernameToken in
            > WSE 2.0 and where exactly to put the code. By default WSE 2.0 calls
            > the UserNameTokenManager Class which calls VerifyToken method and I
            > guess that calls the AuthenticateToken method. AuthenticateToken
            > method returns back the password that it retrieves and compares
            > with the Usernametoken password and hence authenticates the user.
            >
            > Can I please know how to override this default functionality?
            > As you said I dont have to create a CustomTokenManager? In which
            > case it will call the default one and expect AuthenticateToken to
            > return a password.
            >
            > Basically in short, please tell me where to apply this code and how
            > would it work.And please I may need some spoonfeeding since I hardly
            > understand the working of it all..:-)..
            >
            > Please help me..I am highly frustrated and loosing sleep over it..
            > Thank you so much,
            > Sumaira
            >
            > --- In ADSIANDDirectoryServices@yahoogroups.com, "Sumaira Ahmad"
            > <sumaira_ahmad@y...> wrote:
            >> Thanks Joe for this email For some reasons and these messages dont
            >> show up for long in your mail boxes and hence I have been
            > continuing
            >> to post messages to all possible groups to get my answer.
            >>
            >> I am a little confused here, considering the fact that I am new to
            >> all these microsoft technologies.
            >>
            >> So where do I write the code to connect to ADAM using LDAP S.DS.
            > In
            >> the web service's UsernameTokenManager's AuthenticateToken method?
            >> That is the method i have used so far to return back the password
            > of
            >> a user so that WSE can authenticate it against the password in the
            >> usernametoken. But that has to return back a password.
            >>
            >> So u mean to say I shud not use WSE to authenticate an ADAM User?
            >>
            >> Here is my scenario:
            >> I have created an ADAM user with distinguished name:
            >> CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
            >> and set a password for it.
            >> What should I use as my username in the user interface, and how
            > to
            >> specify to LDAP that it has to check against that property to
            >> authenticate??? For instance if I use my userPrincipal name?
            >>
            >> Also in that case I will have to uncheck Integrated Windows
            >> Authentication and check Anonymous access??
            >>
            >> Sorry for all these basic questions but none is available on the
            >> internet.
            >> Thanks,
            >> Sumaira
            >>
            >>
            >> --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
            >> <joe@j...> wrote:
            >> > The best possible thing for real Windows/Active Directory users
            > is
            >> to create
            >> > your own custom derived UserNameTokenManager class that uses the
            >> LogonUser
            >> > API or the SSPI APIs to authenticate the user and create a real
            >> Windows
            >> > login token for the user. From that, you can create a
            >> WindowsPrincipal
            >> > object to use for your IPrincipal.
            >> >
            >> > However, with ADAM users, you can't use any of the Windows login
            >> protocols
            >> > because ADAM users aren't Windows users. For ADAM, you must use
            >> LDAP to
            >> > authenticate the user.
            >> >
            >> > In order to validate credentials with LDAP, you basically just
            >> need to bind
            >> > to ADAM with the user's credentials. With S.DS, the easiest way
            >> to do this
            >> > is to use the DirectoryEntry object to bind to RootDSE on ADAM
            >> with the
            >> > user's username and password. You must use
            >> AuthenticationTypes.None or
            >> > possibly AuthenticationTypes.SecureSocketsLayer.
            >> AuthenticationTypes.Secure
            >> > and the other settings that require secure binding (sealing,
            >> signing,
            >> > delegation) require a Windows login. This is one of the best
            >> reasons to get
            >> > an SSL certificate for your ADAM instance because this allows
            > you
            >> to protect
            >> > plain text credentials on the network.
            >> >
            >> > If you need to look up groups for an ADAM user to build a more
            >> full features
            >> > IPrincipal object, the RootDSE object exposes a tokenGroups
            >> attribute that
            >> > allows you to get the SIDs of the groups the ADAM user is a
            >> memberOf. There
            >> > is a trick you need to do in ADSI/S.DS to get this to work (must
            >> use the GC
            >> > provider with the ADAM SSL port), but it works.
            >> >
            >> > Hopefully that gives you a basic outline.
            >> >
            >> > Joe K.
            >> >
            >> > ----- Original Message -----
            >> > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
            >> > To: <ADSIANDDirectoryServices@yahoogroups.com>
            >> > Sent: Thursday, September 30, 2004 8:17 PM
            >> > Subject: [ADSI-DirSrv] Username Token Authentication against
            >> Active
            >> > directory
            >> >
            >> >
            >> > > Hi,
            >> > >
            >> > > Can someone give me a head start on how to authenticate a
            >> > > UsernameToken security token that is created in an ASP.NET
            >> > > application using WSE 2.0 against Active directory.
            >> > >
            >> > > For instance, in my application on my user interface I enter
            > the
            >> > > username and password and I use that to create a username
            > token
            >> and
            >> > > send it to a web service.
            >> > > Following that what is required at the web service end to
            > match
            >> this
            >> > > password with the same user's password stored in ADAM?? Can
            >> anyone
            >> > > tell me??
            >> > >
            >> > > Do I first need to do a directorySearch for the user after
            >> > > extracting the username from the token and do a compare of
            > their
            >> > > passwords.
            >> > > But as far as I know the userPassword property is a write only
            >> > > property and hence I am not able to access it or read it.It
            >> gives a
            >> > > constraint violation when I try to do that.
            >> > >
            >> > > I also understand that the password needs to be sent as plain
            >> text
            >> > > if required to be authenticated against active directory.
            >> > >
            >> > > Any kind of help will be highly appreciated.
            >> > >
            >> > > Thanks,
            >> > > Sumaira
            >> > >
            >> > >
            >> > >
            >> > >
            >> > >
            >> > >
            >> > > Yahoo! Groups Links
            >> > >
            >> > >
            >> > >
            >> > >
            >> > >
            >
            >
            >
            >
            >
            >
            >
            > Yahoo! Groups Links
            >
            >
            >
            >
            >
            >
            >
          • Sumaira
            Hi Joe, Thank you so much for your reply. And thanks for informing me about the Readers role. I guess all we need to do to enable it is : Go to the partition
            Message 5 of 7 , Oct 3, 2004
            • 0 Attachment
              Hi Joe,

              Thank you so much for your reply.
              And thanks for informing me about the Readers role. I guess all we need to do to enable it is :

              Go to the partition created, and for CN=Roles set the member property of the Readers object to the distinguished name of the ADAM user to whom you want to to give read permission.

              Also for the ADAM with WSE 2.0 UsernameToken problem I was facing I found a simpler solution to it.

              1) Continue using the CustomUsernameAuthenticateToken the way we normally use.
              2) In the AuthenticateToken Method of the Web Service all we need to do is:
              Try connecting to ADAM using the Token Username and Password.
              If the connection is successful return the token password else return a null or junk.

              Attaching the code as follows:

              DirectoryEntry objADAM; // Binding object.

              string strPath; // Binding path.

              // Construct the binding string.

              strPath = "LDAP://localhost:389/RootDSE";

              // Get ADAM object.

              try

              {

              objADAM = new DirectoryEntry(strPath,userToken.Username.ToString(), userToken.Password.ToString(), AuthenticationTypes.None);

              objADAM.RefreshCache();

              }

              catch (Exception e1)

              {

              //Console.WriteLine("Error: Bind failed.");

              return "badpassword";

              }

              return userToken.Password.ToString();

              Thanks once again for all your help,

              Sumaira




              Joe Kaplan <joe@...> wrote:
              Is the ADAM user in the Readers role group in ADAM? By default, ADAM users
              don't have access to read any objects in a partition.

              Regarding the WSE 2.0 UserNameTokenManager, you definitely have to derive a
              class from the base class and override the appropriate message. I'm not
              sure how you configure WSE to know to instantiate your class to do the
              authentication, but I'm sure you do that via config. This month's MSDN
              magazine column by Adam Skonnard has a bunch of samples that walk you
              through the whole process. It should be online now or very shortly.

              Joe K.

              ----- Original Message -----
              From: "Sumaira Ahmad" <sumaira_ahmad@...>
              To: <ADSIANDDirectoryServices@yahoogroups.com>
              Sent: Sunday, October 03, 2004 3:30 PM
              Subject: Re: [ADSI-DirSrv] Username Token Authentication against Active
              directory


              >
              >
              > Hi Joe,
              > I wanted to update you with the latest that I have accomplished
              > following your email.
              > I have implemented the following- I am able to enter as username
              > the value for userPrincipalName and the corresponing password in the
              > password TextBox, and using those credentials I am able to use LDAP
              > authentication to authenticate the ADAM user.. ( never realized that
              > LDAP DS also accepts userPrincipalName and a valid username).
              > However I am able to only connect to rootDSE with that. Using those
              > credentials I am not able to connect to my partition( can i know the
              > reason for that?) However, I dont mind that, because my only aim is
              > to authenticate the user and this code achieves that.
              > Following is the code:
              > DirectoryEntry objADAM; // Binding object.
              > string strPath; // Binding path.
              >
              > // Construct the binding string.
              > strPath = "LDAP://localhost:389/RootDSE";
              >
              > // Get ADAM object.
              > try
              > {
              > objADAM = new DirectoryEntry
              > (strPath,"MaryBaker", "ipsita", AuthenticationTypes.None);
              > objADAM.RefreshCache();
              > }
              > catch (Exception e1)
              > {
              > Label2.Text = e1.ToString();
              > return;
              > }
              >
              > Now my only concern is, how to integrate it with UsernameToken in
              > WSE 2.0 and where exactly to put the code. By default WSE 2.0 calls
              > the UserNameTokenManager Class which calls VerifyToken method and I
              > guess that calls the AuthenticateToken method. AuthenticateToken
              > method returns back the password that it retrieves and compares
              > with the Usernametoken password and hence authenticates the user.
              >
              > Can I please know how to override this default functionality?
              > As you said I dont have to create a CustomTokenManager? In which
              > case it will call the default one and expect AuthenticateToken to
              > return a password.
              >
              > Basically in short, please tell me where to apply this code and how
              > would it work.And please I may need some spoonfeeding since I hardly
              > understand the working of it all..:-)..
              >
              > Please help me..I am highly frustrated and loosing sleep over it..
              > Thank you so much,
              > Sumaira
              >
              > --- In ADSIANDDirectoryServices@yahoogroups.com, "Sumaira Ahmad"
              > <sumaira_ahmad@y...> wrote:
              >> Thanks Joe for this email For some reasons and these messages dont
              >> show up for long in your mail boxes and hence I have been
              > continuing
              >> to post messages to all possible groups to get my answer.
              >>
              >> I am a little confused here, considering the fact that I am new to
              >> all these microsoft technologies.
              >>
              >> So where do I write the code to connect to ADAM using LDAP S.DS.
              > In
              >> the web service's UsernameTokenManager's AuthenticateToken method?
              >> That is the method i have used so far to return back the password
              > of
              >> a user so that WSE can authenticate it against the password in the
              >> usernametoken. But that has to return back a password.
              >>
              >> So u mean to say I shud not use WSE to authenticate an ADAM User?
              >>
              >> Here is my scenario:
              >> I have created an ADAM user with distinguished name:
              >> CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
              >> and set a password for it.
              >> What should I use as my username in the user interface, and how
              > to
              >> specify to LDAP that it has to check against that property to
              >> authenticate??? For instance if I use my userPrincipal name?
              >>
              >> Also in that case I will have to uncheck Integrated Windows
              >> Authentication and check Anonymous access??
              >>
              >> Sorry for all these basic questions but none is available on the
              >> internet.
              >> Thanks,
              >> Sumaira
              >>
              >>
              >> --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
              >> <joe@j...> wrote:
              >> > The best possible thing for real Windows/Active Directory users
              > is
              >> to create
              >> > your own custom derived UserNameTokenManager class that uses the
              >> LogonUser
              >> > API or the SSPI APIs to authenticate the user and create a real
              >> Windows
              >> > login token for the user. From that, you can create a
              >> WindowsPrincipal
              >> > object to use for your IPrincipal.
              >> >
              >> > However, with ADAM users, you can't use any of the Windows login
              >> protocols
              >> > because ADAM users aren't Windows users. For ADAM, you must use
              >> LDAP to
              >> > authenticate the user.
              >> >
              >> > In order to validate credentials with LDAP, you basically just
              >> need to bind
              >> > to ADAM with the user's credentials. With S.DS, the easiest way
              >> to do this
              >> > is to use the DirectoryEntry object to bind to RootDSE on ADAM
              >> with the
              >> > user's username and password. You must use
              >> AuthenticationTypes.None or
              >> > possibly AuthenticationTypes.SecureSocketsLayer.
              >> AuthenticationTypes.Secure
              >> > and the other settings that require secure binding (sealing,
              >> signing,
              >> > delegation) require a Windows login. This is one of the best
              >> reasons to get
              >> > an SSL certificate for your ADAM instance because this allows
              > you
              >> to protect
              >> > plain text credentials on the network.
              >> >
              >> > If you need to look up groups for an ADAM user to build a more
              >> full features
              >> > IPrincipal object, the RootDSE object exposes a tokenGroups
              >> attribute that
              >> > allows you to get the SIDs of the groups the ADAM user is a
              >> memberOf. There
              >> > is a trick you need to do in ADSI/S.DS to get this to work (must
              >> use the GC
              >> > provider with the ADAM SSL port), but it works.
              >> >
              >> > Hopefully that gives you a basic outline.
              >> >
              >> > Joe K.
              >> >
              >> > ----- Original Message -----
              >> > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
              >> > To: <ADSIANDDirectoryServices@yahoogroups.com>
              >> > Sent: Thursday, September 30, 2004 8:17 PM
              >> > Subject: [ADSI-DirSrv] Username Token Authentication against
              >> Active
              >> > directory
              >> >
              >> >
              >> > > Hi,
              >> > >
              >> > > Can someone give me a head start on how to authenticate a
              >> > > UsernameToken security token that is created in an ASP.NET
              >> > > application using WSE 2.0 against Active directory.
              >> > >
              >> > > For instance, in my application on my user interface I enter
              > the
              >> > > username and password and I use that to create a username
              > token
              >> and
              >> > > send it to a web service.
              >> > > Following that what is required at the web service end to
              > match
              >> this
              >> > > password with the same user's password stored in ADAM?? Can
              >> anyone
              >> > > tell me??
              >> > >
              >> > > Do I first need to do a directorySearch for the user after
              >> > > extracting the username from the token and do a compare of
              > their
              >> > > passwords.
              >> > > But as far as I know the userPassword property is a write only
              >> > > property and hence I am not able to access it or read it.It
              >> gives a
              >> > > constraint violation when I try to do that.
              >> > >
              >> > > I also understand that the password needs to be sent as plain
              >> text
              >> > > if required to be authenticated against active directory.
              >> > >
              >> > > Any kind of help will be highly appreciated.
              >> > >
              >> > > Thanks,
              >> > > Sumaira
              >> > >
              >> > >
              >> > >
              >> > >
              >> > >
              >> > >
              >> > > Yahoo! Groups Links
              >> > >
              >> > >
              >> > >
              >> > >
              >> > >
              >
              >
              >
              >
              >
              >
              >
              > Yahoo! Groups Links
              >
              >
              >
              >
              >
              >
              >


              Yahoo! Groups SponsorADVERTISEMENT


              ---------------------------------
              Yahoo! Groups Links

              To visit your group on the web, go to:
              http://groups.yahoo.com/group/ADSIANDDirectoryServices/

              To unsubscribe from this group, send an email to:
              ADSIANDDirectoryServices-unsubscribe@yahoogroups.com

              Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



              ---------------------------------
              Do you Yahoo!?
              vote.yahoo.com - Register online to vote today!

              [Non-text portions of this message have been removed]
            • Joe Kaplan
              That looks fine to me. You can improve the code slightly by adding a specific catch for the COMException that is thrown and a check for the actual bad
              Message 6 of 7 , Oct 3, 2004
              • 0 Attachment
                That looks fine to me. You can improve the code slightly by adding a
                specific catch for the COMException that is thrown and a check for the
                actual bad password HRESULT in the ErrorCode property. You'll get a
                different error is ADAM is down or something, but in that case it might not
                matter that authentication fails, so maybe this isn't important.

                In any event, I'm glad you got this working.

                Joe K.

                ----- Original Message -----
                From: "Sumaira" <sumaira_ahmad@...>
                To: <ADSIANDDirectoryServices@yahoogroups.com>
                Sent: Sunday, October 03, 2004 11:27 PM
                Subject: Re: [ADSI-DirSrv] Username Token Authentication against Active
                directory


                >
                > Hi Joe,
                >
                > Thank you so much for your reply.
                > And thanks for informing me about the Readers role. I guess all we need to
                > do to enable it is :
                >
                > Go to the partition created, and for CN=Roles set the member property of
                > the Readers object to the distinguished name of the ADAM user to whom you
                > want to to give read permission.
                >
                > Also for the ADAM with WSE 2.0 UsernameToken problem I was facing I found
                > a simpler solution to it.
                >
                > 1) Continue using the CustomUsernameAuthenticateToken the way we normally
                > use.
                > 2) In the AuthenticateToken Method of the Web Service all we need to do
                > is:
                > Try connecting to ADAM using the Token Username and Password.
                > If the connection is successful return the token password else return
                > a null or junk.
                >
                > Attaching the code as follows:
                >
                > DirectoryEntry objADAM; // Binding object.
                >
                > string strPath; // Binding path.
                >
                > // Construct the binding string.
                >
                > strPath = "LDAP://localhost:389/RootDSE";
                >
                > // Get ADAM object.
                >
                > try
                >
                > {
                >
                > objADAM = new DirectoryEntry(strPath,userToken.Username.ToString(),
                > userToken.Password.ToString(), AuthenticationTypes.None);
                >
                > objADAM.RefreshCache();
                >
                > }
                >
                > catch (Exception e1)
                >
                > {
                >
                > //Console.WriteLine("Error: Bind failed.");
                >
                > return "badpassword";
                >
                > }
                >
                > return userToken.Password.ToString();
                >
                > Thanks once again for all your help,
                >
                > Sumaira
                >
                >
                >
                >
                > Joe Kaplan <joe@...> wrote:
                > Is the ADAM user in the Readers role group in ADAM? By default, ADAM
                > users
                > don't have access to read any objects in a partition.
                >
                > Regarding the WSE 2.0 UserNameTokenManager, you definitely have to derive
                > a
                > class from the base class and override the appropriate message. I'm not
                > sure how you configure WSE to know to instantiate your class to do the
                > authentication, but I'm sure you do that via config. This month's MSDN
                > magazine column by Adam Skonnard has a bunch of samples that walk you
                > through the whole process. It should be online now or very shortly.
                >
                > Joe K.
                >
                > ----- Original Message -----
                > From: "Sumaira Ahmad" <sumaira_ahmad@...>
                > To: <ADSIANDDirectoryServices@yahoogroups.com>
                > Sent: Sunday, October 03, 2004 3:30 PM
                > Subject: Re: [ADSI-DirSrv] Username Token Authentication against Active
                > directory
                >
                >
                >>
                >>
                >> Hi Joe,
                >> I wanted to update you with the latest that I have accomplished
                >> following your email.
                >> I have implemented the following- I am able to enter as username
                >> the value for userPrincipalName and the corresponing password in the
                >> password TextBox, and using those credentials I am able to use LDAP
                >> authentication to authenticate the ADAM user.. ( never realized that
                >> LDAP DS also accepts userPrincipalName and a valid username).
                >> However I am able to only connect to rootDSE with that. Using those
                >> credentials I am not able to connect to my partition( can i know the
                >> reason for that?) However, I dont mind that, because my only aim is
                >> to authenticate the user and this code achieves that.
                >> Following is the code:
                >> DirectoryEntry objADAM; // Binding object.
                >> string strPath; // Binding path.
                >>
                >> // Construct the binding string.
                >> strPath = "LDAP://localhost:389/RootDSE";
                >>
                >> // Get ADAM object.
                >> try
                >> {
                >> objADAM = new DirectoryEntry
                >> (strPath,"MaryBaker", "ipsita", AuthenticationTypes.None);
                >> objADAM.RefreshCache();
                >> }
                >> catch (Exception e1)
                >> {
                >> Label2.Text = e1.ToString();
                >> return;
                >> }
                >>
                >> Now my only concern is, how to integrate it with UsernameToken in
                >> WSE 2.0 and where exactly to put the code. By default WSE 2.0 calls
                >> the UserNameTokenManager Class which calls VerifyToken method and I
                >> guess that calls the AuthenticateToken method. AuthenticateToken
                >> method returns back the password that it retrieves and compares
                >> with the Usernametoken password and hence authenticates the user.
                >>
                >> Can I please know how to override this default functionality?
                >> As you said I dont have to create a CustomTokenManager? In which
                >> case it will call the default one and expect AuthenticateToken to
                >> return a password.
                >>
                >> Basically in short, please tell me where to apply this code and how
                >> would it work.And please I may need some spoonfeeding since I hardly
                >> understand the working of it all..:-)..
                >>
                >> Please help me..I am highly frustrated and loosing sleep over it..
                >> Thank you so much,
                >> Sumaira
                >>
                >> --- In ADSIANDDirectoryServices@yahoogroups.com, "Sumaira Ahmad"
                >> <sumaira_ahmad@y...> wrote:
                >>> Thanks Joe for this email For some reasons and these messages dont
                >>> show up for long in your mail boxes and hence I have been
                >> continuing
                >>> to post messages to all possible groups to get my answer.
                >>>
                >>> I am a little confused here, considering the fact that I am new to
                >>> all these microsoft technologies.
                >>>
                >>> So where do I write the code to connect to ADAM using LDAP S.DS.
                >> In
                >>> the web service's UsernameTokenManager's AuthenticateToken method?
                >>> That is the method i have used so far to return back the password
                >> of
                >>> a user so that WSE can authenticate it against the password in the
                >>> usernametoken. But that has to return back a password.
                >>>
                >>> So u mean to say I shud not use WSE to authenticate an ADAM User?
                >>>
                >>> Here is my scenario:
                >>> I have created an ADAM user with distinguished name:
                >>> CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
                >>> and set a password for it.
                >>> What should I use as my username in the user interface, and how
                >> to
                >>> specify to LDAP that it has to check against that property to
                >>> authenticate??? For instance if I use my userPrincipal name?
                >>>
                >>> Also in that case I will have to uncheck Integrated Windows
                >>> Authentication and check Anonymous access??
                >>>
                >>> Sorry for all these basic questions but none is available on the
                >>> internet.
                >>> Thanks,
                >>> Sumaira
                >>>
                >>>
                >>> --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
                >>> <joe@j...> wrote:
                >>> > The best possible thing for real Windows/Active Directory users
                >> is
                >>> to create
                >>> > your own custom derived UserNameTokenManager class that uses the
                >>> LogonUser
                >>> > API or the SSPI APIs to authenticate the user and create a real
                >>> Windows
                >>> > login token for the user. From that, you can create a
                >>> WindowsPrincipal
                >>> > object to use for your IPrincipal.
                >>> >
                >>> > However, with ADAM users, you can't use any of the Windows login
                >>> protocols
                >>> > because ADAM users aren't Windows users. For ADAM, you must use
                >>> LDAP to
                >>> > authenticate the user.
                >>> >
                >>> > In order to validate credentials with LDAP, you basically just
                >>> need to bind
                >>> > to ADAM with the user's credentials. With S.DS, the easiest way
                >>> to do this
                >>> > is to use the DirectoryEntry object to bind to RootDSE on ADAM
                >>> with the
                >>> > user's username and password. You must use
                >>> AuthenticationTypes.None or
                >>> > possibly AuthenticationTypes.SecureSocketsLayer.
                >>> AuthenticationTypes.Secure
                >>> > and the other settings that require secure binding (sealing,
                >>> signing,
                >>> > delegation) require a Windows login. This is one of the best
                >>> reasons to get
                >>> > an SSL certificate for your ADAM instance because this allows
                >> you
                >>> to protect
                >>> > plain text credentials on the network.
                >>> >
                >>> > If you need to look up groups for an ADAM user to build a more
                >>> full features
                >>> > IPrincipal object, the RootDSE object exposes a tokenGroups
                >>> attribute that
                >>> > allows you to get the SIDs of the groups the ADAM user is a
                >>> memberOf. There
                >>> > is a trick you need to do in ADSI/S.DS to get this to work (must
                >>> use the GC
                >>> > provider with the ADAM SSL port), but it works.
                >>> >
                >>> > Hopefully that gives you a basic outline.
                >>> >
                >>> > Joe K.
                >>> >
                >>> > ----- Original Message -----
                >>> > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
                >>> > To: <ADSIANDDirectoryServices@yahoogroups.com>
                >>> > Sent: Thursday, September 30, 2004 8:17 PM
                >>> > Subject: [ADSI-DirSrv] Username Token Authentication against
                >>> Active
                >>> > directory
                >>> >
                >>> >
                >>> > > Hi,
                >>> > >
                >>> > > Can someone give me a head start on how to authenticate a
                >>> > > UsernameToken security token that is created in an ASP.NET
                >>> > > application using WSE 2.0 against Active directory.
                >>> > >
                >>> > > For instance, in my application on my user interface I enter
                >> the
                >>> > > username and password and I use that to create a username
                >> token
                >>> and
                >>> > > send it to a web service.
                >>> > > Following that what is required at the web service end to
                >> match
                >>> this
                >>> > > password with the same user's password stored in ADAM?? Can
                >>> anyone
                >>> > > tell me??
                >>> > >
                >>> > > Do I first need to do a directorySearch for the user after
                >>> > > extracting the username from the token and do a compare of
                >> their
                >>> > > passwords.
                >>> > > But as far as I know the userPassword property is a write only
                >>> > > property and hence I am not able to access it or read it.It
                >>> gives a
                >>> > > constraint violation when I try to do that.
                >>> > >
                >>> > > I also understand that the password needs to be sent as plain
                >>> text
                >>> > > if required to be authenticated against active directory.
                >>> > >
                >>> > > Any kind of help will be highly appreciated.
                >>> > >
                >>> > > Thanks,
                >>> > > Sumaira
                >>> > >
                >>> > >
                >>> > >
                >>> > >
                >>> > >
                >>> > >
                >>> > > Yahoo! Groups Links
                >>> > >
                >>> > >
                >>> > >
                >>> > >
                >>> > >
                >>
                >>
                >>
                >>
                >>
                >>
                >>
                >> Yahoo! Groups Links
                >>
                >>
                >>
                >>
                >>
                >>
                >>
                >
                >
                > Yahoo! Groups SponsorADVERTISEMENT
                >
                >
                > ---------------------------------
                > Yahoo! Groups Links
                >
                > To visit your group on the web, go to:
                > http://groups.yahoo.com/group/ADSIANDDirectoryServices/
                >
                > To unsubscribe from this group, send an email to:
                > ADSIANDDirectoryServices-unsubscribe@yahoogroups.com
                >
                > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
                >
                >
                >
                > ---------------------------------
                > Do you Yahoo!?
                > vote.yahoo.com - Register online to vote today!
                >
                > [Non-text portions of this message have been removed]
                >
                >
                >
                >
                >
                > Yahoo! Groups Links
                >
                >
                >
                >
                >
                >
                >
                >
              • Sumaira Ahmad
                Hi, If we dont have GC installed and dont have SSL over ADAM, will tokengroups property work. Or can u suggest some other simpler way to know which groups a
                Message 7 of 7 , Oct 14, 2004
                • 0 Attachment
                  Hi,

                  If we dont have GC installed and dont have SSL over ADAM, will
                  tokengroups property work.
                  Or can u suggest some other simpler way to know which groups a user
                  belongs to. Can we use the memberOf property. But somehow we are not
                  able to access the property too.


                  Please let us know a solution.
                  We are working on Win XP Pro, no domains, no SSL.

                  Thanks,
                  Sumaira


                  --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
                  <joe@j...> wrote:
                  > Is the ADAM user in the Readers role group in ADAM? By default,
                  ADAM users
                  > don't have access to read any objects in a partition.
                  >
                  > Regarding the WSE 2.0 UserNameTokenManager, you definitely have to
                  derive a
                  > class from the base class and override the appropriate message.
                  I'm not
                  > sure how you configure WSE to know to instantiate your class to do
                  the
                  > authentication, but I'm sure you do that via config. This month's
                  MSDN
                  > magazine column by Adam Skonnard has a bunch of samples that walk
                  you
                  > through the whole process. It should be online now or very
                  shortly.
                  >
                  > Joe K.
                  >
                  > ----- Original Message -----
                  > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
                  > To: <ADSIANDDirectoryServices@yahoogroups.com>
                  > Sent: Sunday, October 03, 2004 3:30 PM
                  > Subject: Re: [ADSI-DirSrv] Username Token Authentication against
                  Active
                  > directory
                  >
                  >
                  > >
                  > >
                  > > Hi Joe,
                  > > I wanted to update you with the latest that I have accomplished
                  > > following your email.
                  > > I have implemented the following- I am able to enter as username
                  > > the value for userPrincipalName and the corresponing password in
                  the
                  > > password TextBox, and using those credentials I am able to use
                  LDAP
                  > > authentication to authenticate the ADAM user.. ( never realized
                  that
                  > > LDAP DS also accepts userPrincipalName and a valid username).
                  > > However I am able to only connect to rootDSE with that. Using
                  those
                  > > credentials I am not able to connect to my partition( can i know
                  the
                  > > reason for that?) However, I dont mind that, because my only aim
                  is
                  > > to authenticate the user and this code achieves that.
                  > > Following is the code:
                  > > DirectoryEntry objADAM; // Binding object.
                  > > string strPath; // Binding path.
                  > >
                  > > // Construct the binding string.
                  > > strPath = "LDAP://localhost:389/RootDSE";
                  > >
                  > > // Get ADAM object.
                  > > try
                  > > {
                  > > objADAM = new DirectoryEntry
                  > > (strPath,"MaryBaker", "ipsita", AuthenticationTypes.None);
                  > > objADAM.RefreshCache();
                  > > }
                  > > catch (Exception e1)
                  > > {
                  > > Label2.Text = e1.ToString();
                  > > return;
                  > > }
                  > >
                  > > Now my only concern is, how to integrate it with UsernameToken in
                  > > WSE 2.0 and where exactly to put the code. By default WSE 2.0
                  calls
                  > > the UserNameTokenManager Class which calls VerifyToken method
                  and I
                  > > guess that calls the AuthenticateToken method. AuthenticateToken
                  > > method returns back the password that it retrieves and compares
                  > > with the Usernametoken password and hence authenticates the user.
                  > >
                  > > Can I please know how to override this default functionality?
                  > > As you said I dont have to create a CustomTokenManager? In which
                  > > case it will call the default one and expect AuthenticateToken to
                  > > return a password.
                  > >
                  > > Basically in short, please tell me where to apply this code and
                  how
                  > > would it work.And please I may need some spoonfeeding since I
                  hardly
                  > > understand the working of it all..:-)..
                  > >
                  > > Please help me..I am highly frustrated and loosing sleep over
                  it..
                  > > Thank you so much,
                  > > Sumaira
                  > >
                  > > --- In ADSIANDDirectoryServices@yahoogroups.com, "Sumaira Ahmad"
                  > > <sumaira_ahmad@y...> wrote:
                  > >> Thanks Joe for this email For some reasons and these messages
                  dont
                  > >> show up for long in your mail boxes and hence I have been
                  > > continuing
                  > >> to post messages to all possible groups to get my answer.
                  > >>
                  > >> I am a little confused here, considering the fact that I am new
                  to
                  > >> all these microsoft technologies.
                  > >>
                  > >> So where do I write the code to connect to ADAM using LDAP S.DS.
                  > > In
                  > >> the web service's UsernameTokenManager's AuthenticateToken
                  method?
                  > >> That is the method i have used so far to return back the
                  password
                  > > of
                  > >> a user so that WSE can authenticate it against the password in
                  the
                  > >> usernametoken. But that has to return back a password.
                  > >>
                  > >> So u mean to say I shud not use WSE to authenticate an ADAM
                  User?
                  > >>
                  > >> Here is my scenario:
                  > >> I have created an ADAM user with distinguished name:
                  > >> CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
                  > >> and set a password for it.
                  > >> What should I use as my username in the user interface, and how
                  > > to
                  > >> specify to LDAP that it has to check against that property to
                  > >> authenticate??? For instance if I use my userPrincipal name?
                  > >>
                  > >> Also in that case I will have to uncheck Integrated Windows
                  > >> Authentication and check Anonymous access??
                  > >>
                  > >> Sorry for all these basic questions but none is available on the
                  > >> internet.
                  > >> Thanks,
                  > >> Sumaira
                  > >>
                  > >>
                  > >> --- In ADSIANDDirectoryServices@yahoogroups.com, "Joe Kaplan"
                  > >> <joe@j...> wrote:
                  > >> > The best possible thing for real Windows/Active Directory
                  users
                  > > is
                  > >> to create
                  > >> > your own custom derived UserNameTokenManager class that uses
                  the
                  > >> LogonUser
                  > >> > API or the SSPI APIs to authenticate the user and create a
                  real
                  > >> Windows
                  > >> > login token for the user. From that, you can create a
                  > >> WindowsPrincipal
                  > >> > object to use for your IPrincipal.
                  > >> >
                  > >> > However, with ADAM users, you can't use any of the Windows
                  login
                  > >> protocols
                  > >> > because ADAM users aren't Windows users. For ADAM, you must
                  use
                  > >> LDAP to
                  > >> > authenticate the user.
                  > >> >
                  > >> > In order to validate credentials with LDAP, you basically just
                  > >> need to bind
                  > >> > to ADAM with the user's credentials. With S.DS, the easiest
                  way
                  > >> to do this
                  > >> > is to use the DirectoryEntry object to bind to RootDSE on ADAM
                  > >> with the
                  > >> > user's username and password. You must use
                  > >> AuthenticationTypes.None or
                  > >> > possibly AuthenticationTypes.SecureSocketsLayer.
                  > >> AuthenticationTypes.Secure
                  > >> > and the other settings that require secure binding (sealing,
                  > >> signing,
                  > >> > delegation) require a Windows login. This is one of the best
                  > >> reasons to get
                  > >> > an SSL certificate for your ADAM instance because this allows
                  > > you
                  > >> to protect
                  > >> > plain text credentials on the network.
                  > >> >
                  > >> > If you need to look up groups for an ADAM user to build a more
                  > >> full features
                  > >> > IPrincipal object, the RootDSE object exposes a tokenGroups
                  > >> attribute that
                  > >> > allows you to get the SIDs of the groups the ADAM user is a
                  > >> memberOf. There
                  > >> > is a trick you need to do in ADSI/S.DS to get this to work
                  (must
                  > >> use the GC
                  > >> > provider with the ADAM SSL port), but it works.
                  > >> >
                  > >> > Hopefully that gives you a basic outline.
                  > >> >
                  > >> > Joe K.
                  > >> >
                  > >> > ----- Original Message -----
                  > >> > From: "Sumaira Ahmad" <sumaira_ahmad@y...>
                  > >> > To: <ADSIANDDirectoryServices@yahoogroups.com>
                  > >> > Sent: Thursday, September 30, 2004 8:17 PM
                  > >> > Subject: [ADSI-DirSrv] Username Token Authentication against
                  > >> Active
                  > >> > directory
                  > >> >
                  > >> >
                  > >> > > Hi,
                  > >> > >
                  > >> > > Can someone give me a head start on how to authenticate a
                  > >> > > UsernameToken security token that is created in an ASP.NET
                  > >> > > application using WSE 2.0 against Active directory.
                  > >> > >
                  > >> > > For instance, in my application on my user interface I enter
                  > > the
                  > >> > > username and password and I use that to create a username
                  > > token
                  > >> and
                  > >> > > send it to a web service.
                  > >> > > Following that what is required at the web service end to
                  > > match
                  > >> this
                  > >> > > password with the same user's password stored in ADAM?? Can
                  > >> anyone
                  > >> > > tell me??
                  > >> > >
                  > >> > > Do I first need to do a directorySearch for the user after
                  > >> > > extracting the username from the token and do a compare of
                  > > their
                  > >> > > passwords.
                  > >> > > But as far as I know the userPassword property is a write
                  only
                  > >> > > property and hence I am not able to access it or read it.It
                  > >> gives a
                  > >> > > constraint violation when I try to do that.
                  > >> > >
                  > >> > > I also understand that the password needs to be sent as
                  plain
                  > >> text
                  > >> > > if required to be authenticated against active directory.
                  > >> > >
                  > >> > > Any kind of help will be highly appreciated.
                  > >> > >
                  > >> > > Thanks,
                  > >> > > Sumaira
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > > Yahoo! Groups Links
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > >
                  > >> > >
                  > >
                  > >
                  > >
                  > >
                  > >
                  > >
                  > >
                  > > Yahoo! Groups Links
                  > >
                  > >
                  > >
                  > >
                  > >
                  > >
                  > >
                Your message has been successfully submitted and would be delivered to recipients shortly.