Bind to an AD LDS Instance Through a Proxy Object

Applies To: Windows Server 2008

In addition to binding as a Windows user or as an Active Directory Lightweight Directory Services (AD LDS) user, you can also bind to an AD LDS instance by using AD LDS bind redirection. When you use bind redirection, AD LDS can accept and process bind requests to an AD LDS proxy object that contains as one of its attributes the security identifier (SID) from an Active Directory Domain Services (AD DS) security principal. With AD LDS, you can use bind redirection to provide AD DS users with access to both AD LDS data and AD DS data, using AD DS domain credentials for single sign-on (SSO).

Important

You can use this procedure to bind to an AD LDS instance through a proxy object. Bind redirection enables a user to bind to AD LDS by means of a simple bind while still using AD DS credentials. Other types of binding with AD DS credentials work without requiring a proxy, but a simple bind does not. Proxy binding works only for a simple bind.

The AD LDS .ldf files, which you can import into the AD LDS schema during AD LDS setup, contain an object definition for the object userProxy, which you can use for bind redirection. This object contains attributes that include a distinguished name and a SID. By creating a userProxy object in AD LDS—specifying a distinguished name to be used for binding—and by using a valid SID from an AD DS user account, you can bind to AD LDS using bind redirection. For more information, see “AD LDS bind redirection” in Introduction to Administering Authentication and Access Control.

The tasks for binding to an AD LDS instance through a proxy object include the following:

  • Configure SSL requirements

  • Create an AD LDS proxy object

  • Bind through the proxy object

Configure SSL requirements

By default, binding to AD LDS with bind redirection requires a Secure Sockets Layer (SSL) connection. SSL requires the installation and use of certificates on the computer running AD LDS. For more information about configuring LDAP over SSL, see Appendix A: Configuring LDAP over SSL Requirements for AD LDS.

For the following exercises, you can, as an alternative, disable the requirement for SSL in your AD LDS test environment, as described in the following procedure.

Note

Disabling the requirement for SSL for bind redirection causes the password of a Windows security principal to be passed to the computer that is running AD LDS, without first being encrypted. Therefore, you should disable the SSL requirement only in a test environment.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To disable the SSL requirement for bind redirection

  1. To open ADSI Edit, click Start, point to Administrative Tools, and then click ADSI Edit. Connect to configuration directory partition of your AD LDS instance. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  2. In the console tree, browse to the following container object in the configuration partition: CN=Directory Service,CN=Windows NT,CN=Services.

  3. Right-click CN=Directory Service, and then click Properties.

  4. In Attributes, click msDS-Other-Settings, and then click Edit.

  5. In Values, click RequireSecureProxyBind=1, and then click Remove.

  6. In Value to add, type RequireSecureProxyBind=0, click Add, and then click OK.

Create an AD LDS proxy object

You are now ready to create an AD LDS proxy object.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To create an AD LDS proxy object

  1. Click Start, and then click Server Manager.

  2. In the console tree, double-click Roles, and then click Active Directory Lightweight Directory Services.

  3. In the details pane, under the Advanced Tools, click Ldp.exe.

  4. Connect to your AD LDS instance. For more information, see Manage an AD LDS Instance Using Ldp.exe.

  5. On the Ldp Browse menu, click Add child.

  6. In Dn, type the distinguished name for the new userProxy object.

    For example, cn=testproxy,o=microsoft,c=us.

  7. Under Edit Entry, type the following, and then click Enter:

    • In Attribute, type ObjectClass.

    • In Values, type userProxy.

  8. Again, under Edit Entry, type the following, and then click Enter:

    • In Attribute, type objectSID.

    • In Values, type the valid SID of a user in AD DS.

      To retrieve the SID of an AD DS user, type the following (as a single command) at a command prompt:

      dsquery user -samid <account> | dsget user -sid
      

      where <account> represents the user logon name whose SID you want to retrieve. In this command, the results of dsquery are piped to dsget.

Important

The AD DS user that you are creating the proxy object for must not a member of any AD LDS groups. You cannot successfully create proxy objects for Windows security principals that belong as members to AD LDS groups. However, after the proxy object for an AD DS user is created, the AD DS user can then be added to any AD LDS groups.

  1. Make sure that the Synchronous check box is selected.

  2. Click Run. This adds the userProxy object, with the attributes that you specified, to the AD LDS directory store.

Bind through the proxy object

Now, you can bind to your AD LDS instance using the AD LDS proxy object and bind redirection.

To bind as an AD LDS proxy object through bind redirection

  1. Click Start, and then click Server Manager.

  2. In the console tree, double-click Roles, and then click Active Directory Lightweight Directory Services.

  3. In the details pane, under the Advanced Tools, click Ldp.exe.

  4. Connect to your AD LDS instance. For more information, see Manage an AD LDS Instance Using Ldp.exe.

  5. On the Options menu, click Connection Options.

  6. In Option Name, click LDAP_OPT_SIGN, type 1 in Value, and then click Set.

  7. In Option Name, click LDAP_OPT_ENCRYPT, type 1 in Value, click Set, and then click Close.

  8. To bind to your AD LDS instance, on the Connection menu, click Bind.

  9. Under Bind type, click Simple bind.

  10. In User, type the distinguished name of your proxy object.

  11. In Password, type the password that is associated with the AD DS user that you created the proxy object for, and then click OK.