Managing Authentication in ADAM

  • Article

Applies To: Windows Server 2003 R2

With ADAM, you can bind as a Windows principal, as an ADAM principal, or through an ADAM proxy object. In the following exercises, you:

  • Complete a bind as a Windows principal.

  • Set a password for the ADAM user account Mary Baker, which you created earlier.

  • Complete a bind as an ADAM principal.

  • Complete a bind through an ADAM proxy object.

In addition, you test the permissions that you set by using Dsacls.exe command-line tool in the exercises in Managing Authorization in ADAM.

Binding as a Windows Principal

In this exercise, you bind to an ADAM instance as a Windows principal and then test the bind.

To bind as a Windows principal and test the bind

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.

  2. Using ADAM ADSI Edit, bind to your ADAM instance using the Windows principal that you are logged on as, and connect to the O=Microsoft,c=US directory partition.

  3. In the details pane, browse to the ADAM testers group, on which you denied the Delete permission to your current Windows account.

  4. Right-click the ADAM testers group, and then click Delete. An “Access denied” message appears, confirming that the Delete permission has been successfully denied to your Windows account.

Setting the Password of an ADAM User

Before logging on to the ADAM instance with the Mary Baker user account, you first set a password on the account.

Note

In addition to using Ldp as described in this procedure, you can also use ADAM ADSI Edit to set or modify passwords: right-click the directory object representing the ADAM security principal in ADAM ADSI Edit, and then click Reset Password.

To set a password on an ADAM user account

  1. Click Start, point to All Programs, point to ADAM, and click ADAM Tools Command Prompt.

  2. At the command prompt, type ldp, and then press ENTER.

  3. On the Connection menu, click Connect, and then connect to your ADAM instance.

  4. On the Options menu, click Connection Options.

  5. In Option Name, click LDAP_OPT_SIGN, type 1 in Value, and then click Set.

  6. In Option Name, click LDAP_OPT_ENCRYPT, type 1 in Value, click Set, and then click Close.

  7. On the Connection menu, click Bind, and then bind to your ADAM instance.

  8. On the View menu, click Tree, leave BaseDN blank, and then click OK.

  9. In the console tree, locate the O=Microsoft,C=US directory partition. Double-click O=Microsoft,C=US, and then double-click OU=ADAM Users,O=Microsoft,C=US.

  10. Right-click the CN=Mary Baker user object, and then click Modify. The following dialog box appears:

    ADAM Ldp, modifying user

  11. In Attribute, type userpassword, and then, in Values, type a password for the account.

  12. Click Enter, and then click Run. The details pane in Ldp should contain output similar to the following:

***Call Modify...

ldap_modify_s(ld, 'CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US',[1] attrs);

Modified "CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US".

Note

When ADAM runs on a computer running Windows Server 2003, it enforces the password policy and account lockout settings of the computer, organizational unit, or domain, whichever is in effect.

Binding as an ADAM Principal

In this exercise, you bind to an ADAM instance as an ADAM principal and then test the bind.

To bind as an ADAM principal and test the bind

  1. Using Ldp, bind to your ADAM instance using CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US as the account, along with the password that you just assigned to this account.

  2. To confirm that you are logged on as Mary Baker and that the Delete permission that you granted earlier is effective, in the Ldp console tree, browse to the ADAM testers group and delete it. To delete the ADAM testers group, right-click the CN=ADAM testers object, and then click Delete.

    Note

    By default, new ADAM users (such as Mary Baker) are granted Read access to the top-level container of a given directory partition, a permission which is inherited by all objects on the partition. But, because you explicitly assigned the Delete permission to Mary Baker on the ADAM testers group object, the delete operation succeeded. For more information about access control and default permissions in ADAM, see ADAM Help. To view ADAM Help, click Start, point to All Programs, point to ADAM, and then click ADAM Help.

Binding Through an ADAM Proxy Object

In addition to binding as a Windows user or as an ADAM user, you can also bind to an ADAM instance by using ADAM bind redirection. When using bind redirection, ADAM can accept and process bind requests to an ADAM proxy object that contains as one of its attributes the security ID (SID) from an Active Directory security principal. With ADAM, you can use bind redirection to provide Active Directory users with access to both ADAM data and Active Directory data, using Active Directory domain credentials as a single sign-on (SSO). In addition, you can use ADAM proxy objects to store user data that is specific to a particular application in ADAM, while using Active Directory to store more widely used directory data.

Bind redirection enables a user to bind to ADAM by means of a simple bind while still using Active Directory credentials. Other types of binding with Active Directory credentials work without requiring a proxy, but a simple bind does not. Proxy binding works only for a simple bind.

The ADAM .ldf files, which you can import into the ADAM schema during ADAM setup, contain an object definition for the object userProxy, which can be used for bind redirection. This object contains attributes that include a distinguished name and a SID. By creating a userProxy object in ADAM—specifying a distinguished name to be used for binding—and by using a valid SID from an Active Directory user account, you can bind to ADAM using bind redirection. For more information about ADAM authentication, see "Active Directory Application Mode" Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=51640).

For the following exercises, it is assumed that you have already imported the optional user classes into the ADAM schema.

Binding Security and ADAM Proxy Objects

By default, binding to ADAM with bind redirection requires an SSL connection. SSL requires the installation and use of certificates on the computer running ADAM and on the computer connecting to ADAM as a client. If you do not have certificates installed in your ADAM test environment, you can, as an alternative, disable the requirement for SSL, as described in the following procedure.

Note

Disabling the requirement for SSL for bind redirection causes the password of a Windows security principal to be passed to the computer running ADAM, without first being encrypted. Therefore, you should only disable the SSL requirement in a test environment.

To disable the SSL requirement for bind redirection

  1. As described earlier in the procedure “To bind to, view, and browse an ADAM instance using ADAM ADSI Edit,” connect and bind to your ADAM instance using ADAM ADSI Edit, and then, in the console tree, browse to the following container object in the configuration partition: CN=Directory Service,CN=Windows NT,CN=Services.

  2. Right-click CN=Directory Service, and then click Properties.

  3. In Attributes, click msDS-Other-Settings, and then click Edit.

  4. In Values, click RequireSecureProxyBind=1, and then click Remove.

  5. In Value to add, type RequireSecureProxyBind=0, click Add, and then click OK.

Creating and Binding with an ADAM Proxy Object

In these exercises, you create a proxy object for an Active Directory user, and you bind to ADAM using the proxy object.

To bind to ADAM through an ADAM proxy object

  1. As described earlier in the procedure “To connect and bind to an ADAM instance using Ldp.exe,” connect and bind to your ADAM instance using Ldp, and then browse to O=Microsoft,C=US.

  2. On the Ldp Browse menu, click Add child.

  3. In Dn, type cn=testproxy,o=microsoft,c=us as the distinguished name for the new userProxy object to be created in the O=Microsoft,C=US container.

  4. Under Edit Entry, type the following, and then click Enter:

    • In Attribute, type ObjectClass

    • In Values, type userProxy

  5. Again, under Edit Entry, type the following, and then click Enter:

    • In Attribute, type objectSID

    • In Values, type the valid SID of a user in Active Directory.

      The \LABS_DEMO\LABS\bindredirect directory in the ADAM download contains two commands from the Windows Server 2003 Administration Tools Pack, Dsquery.exe and Dsget.exe, to help you retrieve the SID of an Active Directory user. You can run these commands on a computer running Windows Server 2003.

      To retrieve the SID of an Active Directory user with these commands, type the following (as a single command) at a command prompt:

      dsquery user -samid domain\account | dsget user -sid

      where domain\account represents the user whose SID you want to retrieve. In this command, the results of Dsquery are piped to Dsget.

      You can retrieve the SID of the currently logged on user on a computer running Windows Server 2003 by typing the following at a command prompt:

      whoami /user

      (Some versions of whoami require the syntax whoami /user /sid.)

  6. Click Run. This adds the userProxy object, with the attributes that you specified, to the ADAM directory store.

  7. To disconnect from your ADAM instance, on the Connection menu, click Disconnect.

Now, you can bind to your ADAM instance using the ADAM proxy object and bind redirection.

To bind as an ADAM proxy object through bind redirection

  1. On the Connection menu, click Connect, and then connect to your ADAM instance on a new connection.

  2. On the Options menu, click Connection Options.

  3. In Option Name, click LDAP_OPT_SIGN, type 1 in Value, and then click Set.

  4. In Option Name, click LDAP_OPT_ENCRYPT, type 1 in Value, click Set, and then click Close.

  5. To bind to your ADAM instance again with Ldp, on the Connection menu, click Bind.

  6. In User, type:

    cn=testproxy,o=Microsoft,c=us

    This represents the proxy object that you just created.

  7. Make sure that the Domain option is not selected.

  8. In Password, type the password that is associated with the Active Directory user that you specified in step 5 in the previous procedure, and then click OK.

Demonstrating ADAM Proxy Object Functionality

By default, a Windows user binding to an ADAM instance receives membership only in the ADAM groups to which that user has been explicitly added as member. When a user binds to an ADAM instance through a proxy object, the user receives membership in the Users group on each naming context that is held by the ADAM instance.

You can use this difference in group memberships to demonstrate the functional difference between binding to an ADAM instance as a Windows user and binding to an ADAM instance through a proxy object. The following exercise demonstrates this difference.

To demonstrate binding to ADAM through a proxy object

  1. In the O=Microsoft,C=US directory partition, add the Users group as a member of the Readers group, following the general directions for adding members to groups as described earlier in the procedure “To add a user to a group.”

  2. Bind to your ADAM instance (using Ldp or ADAM ADSI Edit) as an Active Directory user (other than the ADAM administrator, which receives full access to all partitions by default).

  3. Attempt to read any object in the O=Microsoft,C=US directory partition. Your attempt should fail, because the Active Directory user does not have access to the partition by default.

  4. Bind to your ADAM instance (using Ldp or ADAM ADSI Edit) using the proxy object that you created.

  5. Attempt to read any object in the O=Microsoft,C=US directory partition. This time, your attempt should succeed; because users who bind to an ADAM instance through a proxy object automatically receive membership in the Users group. And, because you added the Users group to the Readers group in step 1 of this procedure, binding to the ADAM instance through the proxy object enables you to successfully read the partition.

    Note

    For more information about bind redirection, see ADAM Help. To view ADAM Help, click Start, point to All Programs, point to ADAM, and then click ADAM Help. For information about administering proxy objects programmatically, see Administering ADAM Programmatically later in this guide.