One can use
new PrincipalContext(ContextType.Domain,null)
without providing any connection strings for the Active Directory.
When using ActiveDirectoryMembershipProvider you must provide an LDAP endpoint in web.config.
The site I'm working on will be deployed on multiple sites and I don't want to have to fill the details in the web.config for each deplyoment.
How To: Use Forms Authentication with Active Directory in Multiple Domains on MSDN specifies 3 (!) membership providers to deal with 3 domains which is not impressive. However, this article is from 2005 and it deals with a different tasks then what I'm after.
The question:
Is is possible to use ActiveDirectoryMembershipProvider in a way that the LDAP end point is not hard-coded in the web.config?
I would prefer to use ActiveDirectoryMembershipProvider rather than PrincipalContext to have (potentially) the ability to call ChangePassword etc.
No, it is not possible to use ActiveDirectoryMembershipProvider without specifying a target LDAP server.
The connection string must be specified, and the string must contain a server (contains ADS_FORMAT_SERVER)
You must create a connectionStrings Element (ASP.NET Settings Schema)
entry in the Web.config file that identifies the Active Directory
server, Active Directory domain, or ADAM application partition to use.
The provider will only operate at domain scope, or in a subscope
within a domain.
If you want to support an active directory forest, and losing forms authentication is an option, consider using Windows Authentication. Windows Authentication will use NTLM and Kerberos to get the user's identity within a forest, and you can still change a users password via impersonation. See WindowsIdentity.Impersonate().
Related
I have two domains A and B.
Users sit on domain A and IIS, SSAS is on domain B. There is no trust between the domains.
Users shall be able to access data through the msmdpump on the IIS to access the SSAS server. It would be nice if they could do this seamless without authentication using in integrated windows security
Everything works fine if I allow anonymous users on the IIS and on SSAS. But then users are not authenticated.
One of the problems is msmdpump is a bit of a black box. You need access to it from the IIS but once Excel uses it i think it contacts SSAS directly using the credentials in the odc connection string.
Have anyone had a smilair problem and how did you solve it?
Integrated security doesn't work this way and msmdpump is really a blackbox ;) We have had similar problem in a scenario where we have a website with users that login and download excel reports with a predefined connection string. Unfortunately to avoid the user to have to type the password when he opens excel we have to store it in the excel file (and it is plain text). So our solution which might not be the best was to add ANOTHER proxy between the user and the SSAS which would take care about security. So the excel file instead of pointing to the MSDPUMP points to our proxy with some session token that gives permission to access reports.
In our case that proxy was part of the website and used the user session (if he is authenticated to the website currently he can open the excel report) and the SSAS password in the connection string was the real SSAS active directory password but it was not a security breach because SSAS was not accessible outside the internal the network. So the chain was:
User with excel file -> Our proxy that handles security -> IIS with msdpump -> SSAS
I am not sure it is the best solution but after lots of discussions and investigation we couldn't come up with something better and it works in the end ;)
There are two active directory user registrys with trusted relationship, where users of one directory included in the groups of another directory. I need to configure IBM WebSphere Portal 6.1 on WAS7 that he used those related directories. But when federated repository is configured and I am trying to find users via group there are only those users who are in the same directory as the group. It works like it is independent registrys without trusted relationship.
Is it possible to configure portal server that he understood the trusted relationship of user registrys?
The solution was the usage of Global LDAP search port 3268 (3269) instead of default LDAP ports 389(636) and standalone repository.
Enable following referrals for both WAS security settings and WIM. You will have to edit security.xml and wimconfig.xml manually to accomplish all required changes.
We are trying to develop an ACL solution that would cater for both internal users (currently managed through Windows AD which is outside of the scope of the project) and external users. The idea is to have a new LDAP server, another Windows AD or non-AD server such as openldap, that will be used to manage external users and all groups that are to be used for the ACL.
And then a referral to the internal Windows AD would be setup so that authentication would work for both internal and external accounts and group membership to the groups defined in the new LDAP server would be open to both internal and external accounts.
The problem is to get the referral working, first following this document http://technet.microsoft.com/en-us/library/cc978014.aspx (under "Creating an External Cross-Reference for an Internal Location") it seems you need to have the external ldap server having the same domain as the internal one, this seems to be a problem, at least when using Windows AD as the external server as well.
Also due to security restrictions in place trust relationships cannot be created such that internal users can be added as members of groups created in the external server. So is there a way around this? Is it better to use openldap rather than Windows AD for the external server?
Any pointers would be much appreciated.
Cheers
#Haddad, the example you pointed out never mentioned the external server has to be in the same domain. The requirement is that the dnsRoot should be resolvable by your dns.
Have a look at this http://support.microsoft.com/kb/241737
Where the AD runs yourdomain.msft and the referral server runs in mydomain.msft
What is the difference/relation between ADAM, Active Directory, LDAP, ADFS, Windows Identity, cardspace and which server (Windows 2003, Windows 2008) uses what?
Active Directory is a server component for administrating windows domains and storing related informations like details about users. It provides implementations of the network protocols LDAP, DNS, CIFS and Kerberos. It's part of Windows Server 2003 as well as Windows Server 2008 with some modifications in the latter case.
ADAM was somewhat like the little brother of Active Directory. It only contained an implementation of LDAP. With Windows Server 2008 it was renamed to LDS, Lightweight Directory Services. ADAM/LDS can also be installed on non-server versions of Windows.
LDAP is a protocol for administrating the data of a directory service. Data within a directory services are stored in a hierarchical manner, a tree. Entries within that tree can contain a set of attributes where each has a name and a value. They are mostly used for storing user related informations like usernames, passwords, email addresses and so on, as there are standardized schemas for this purpose and it's widely supported by applications.
ADFS is a technology which enables Single Sign-On for users of web applications within an Identity Federation. In a very short form: Imagine two organizations which have their user data stored within an active directory. Now each organization wants to give the users of the other organization access to its web applications, but with the restriction that the user data itself should neither be copied nor be fully accessible to the other organization. Thats the kind of problem ADFS can solve. May require an hour of reading & researching before fully understood.
Just to fill in the gaps above:
ADFS is an example of a STS (Security Token Service). STS's can be configured to have a trust relationship with each other. Imagine you have a company which only has internal users and they want to expand to external users. That means that all external users have to register, get a user name, password etc. Perhaps the company doesn't want to store all this stuff. They realise that most of their external users already have an OpenId account. So they federate (trust) their ADFS with an STS that accepts OpenId credentials.
When an external user wants to access the company website, they are asked what kind of user they are via a drop down. They select OpenID. They are then taken to the OpenId site where they authenticate. The user is then redirected back to the company ADFS with a signed token which states that OpenId has authenticated the user. Since there is a trust relationship, the ADFS accepts the authentication and allows the user access to the web site.
None of the OpenId credentials are stored by the company.
Effectively, you have outsourced authentication.
ADFS currently runs on Windows Server 2008 R2.
For Windows Identity (in the context of ADFS) I assume you are asking about Windows Identity Foundation (WIF). This is essentially a set of .NET classes that are added to a project using VS that makes the application "claims aware". There is a VS tool called FedUtil that maps an application to a STS and describes the claims that will be provided. (A claim is an attribute e.g. name, DOB etc.) When a user accesses the application, WIF redirects the user to the mapped STS where the user logs in. WIF then provides the application with a set of claims. Based on these, the application can alter flows based on the user claims. E.g. only users with a claim type of Role with a value of Editor can alter pages.
WIF can also act as an Access Manager E.g. only Editors can access this page. Other users simply receive an error.
In WIF, an application is referred to as a "Relying Party" (RP).
WIF inside VS requires Vista or Windows 7.
Since STS's can be federated with each other, each STS can provide a group of claims.
E.g. in the example above, the OpenId STS can provide the user's name while the company ADFS can provide information not pertinent to OpenId e.g role in the company.
Cardspace is a mechanism to authenticate via a digital identity e.g. an enabled application can ask you to login by selecting one of your "cards", one of which might be e.g. your personal X509 certificate. The application would then check this against the credentials it has stored.
In February 2011, Microsoft announced that they would no longer be developing the Windows CardSpace product.
The setup:
There is a central AD domain (CENTRAL) and multiple seperate forests, each of which has their own domain (BRANCH1, BRANCH2, BRANCH3)
There are 2-way domain trusts between CENTRAL and all other domains.
An application I'm working on runs on the CENTRAL domain and performs LDAP searches on all domains, using the credentials CENTRAL\ldapreader.
This works perfectly for CENTRAL and BRANCH1, but BRANCH2 and BRANCH3 refuse the connection with an invalid credentials error. If the search instead uses an account in those domains (BRANCH2\ldapreader, etc) then the search works fine.
What level of permissions are needed to read AD as an LDAP server? Everything I've found indicates that this is allowed for AUTENTICATED USERS, which should work fine with CENTRAL\ldapreader due to the two way trust but that isn't the behavior we're getting.
I think the permission you're looking for is "List Contents". You should ensure "CENTRAL\ldapreader" has this permission for BRANCH2 and BRANCH3.
I'm wondering if you set up the trusts with selective authentication or forest-wide authentication and whether you can manualy browse BRANCH2 and BRANCH3.