[ActiveDir] Test 123
Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Test 123
SHREK: It's quiet. Too quiet. Where is everybody? DONKEY: Hey, look at this! MACHINE SINGS DONKEY: Wow! Let's do that again! SHREK: No! No! No, no no. No... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, September 27, 2006 11:53 PM To: ActiveDir.org Subject: [ActiveDir] Test 123 Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Test 123
That's because the people like to sleep during the night :) Just Joking -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 28, 2006 2:53 AM To: ActiveDir.org Subject: [ActiveDir] Test 123 Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Test 123
Or have sometimes better (or other) things to do... ;-) On 9/28/06, Ramon Linan [EMAIL PROTECTED] wrote: That's because the people like to sleep during the night :) Just Joking -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 28, 2006 2:53 AM To: ActiveDir.org Subject: [ActiveDir] Test 123 Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Test 123
Well I now know where Dr Bunsen and Beaker were, but there is usually something over night as the USA is behind the UK. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Bart Van den Wyngaert [EMAIL PROTECTED] Date: Thu, 28 Sep 2006 16:06:49 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Test 123 Or have sometimes better (or other) things to do... ;-) On 9/28/06, Ramon Linan [EMAIL PROTECTED] wrote: That's because the people like to sleep during the night :) Just Joking -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 28, 2006 2:53 AM To: ActiveDir.org Subject: [ActiveDir] Test 123 Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Problem with Active Sync
Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Reset Password GUI Issue
For our student accounts I remove the default ACE for Authenticated Users (because of FERPA, which is a federal student privacy act). Then a group has been delegated rights to reset their passwords and force a password change at next logon, as well as restoring the read general, public, personal, permissions, and web information (like Authenticated Users normally has). Using ADUC one of these admins with delegated rights can reset the password, but the checkbox for force password change at next logon is greyed out. If the admin then opens the account and goes to the Account tab they can check the force password change at next logon successfully. Anyone know what's going on? Steve Evans List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem with Active Sync
Hi, Last time i had this, I had to pin point the culprit by removing all the items and then re add them 1 by 1 synching between each item. It turned out to be a note that was corrupted I deleted it and then re added the notes to the sync and all went well after that. My 0.02$ (also, make sure your device is not connected to the pc when you boot the pc. When windows detect the device before active sync is started it screws things up a bit...) -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: September 28, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with Active Sync Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Jabber and AD authentication
The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Jabber and AD authentication
Assuming it can authenticate against an LDAP source it should work fine - never done Jabber but they're all about the same when it comes to this... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Thursday, September 28, 2006 4:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Jabber and AD authentication The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Jabber and AD authentication
support.Jabber.com Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Thu 9/28/2006 1:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Jabber and AD authentication Assuming it can authenticate against an LDAP source it should work fine - never done Jabber but they're all about the same when it comes to this... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Thursday, September 28, 2006 4:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Jabber and AD authentication The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem with Active Sync
in this case how i can be sure if everything is good with my exchange configuration and nothing is wrong with OMA/OWA/ Active Sync. Is it possible to verify is my server configuration is ok or not. A few days back when users reported me this problem i looked at the error and that was authentication method problem. Which was later on rectified. in addition to that after resolving auth problem i was able to see items when i tried http://mail.domain.com/oma Domain\Username Password When this if fixed. do i need to check something else to make active sync work. Thanks!!! Ravi Dogra On 9/29/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, Last time i had this, I had to pin point the culprit by removing all the items and then re add them 1 by 1 synching between each item. It turned out to be a note that was corrupted I deleted it and then re added the notes to the sync and all went well after that. My 0.02$ (also, make sure your device is not connected to the pc when you boot the pc. When windows detect the device before active sync is started it screws things up a bit...) -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: September 28, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with Active Sync Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Jabber and AD authentication
Jabber supports the use of SRV records and works beautifully against AD for authentication. I got a Jabber server up and running for my company as a test about a year ago, however I was extremely let down by the quality of the clients. Each client seemed to have its own quirk, bug, or issue and I eventually dropped the idea for another attempt at a later date when the clients have reached a reliable level of quality. Hopefully they have reached that point now. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, September 28, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Jabber and AD authentication support.Jabber.com Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Thu 9/28/2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Jabber and AD authentication Assuming it can authenticate against an LDAP source it should work fine- never done Jabber but they're all about the same when it comes tothis...Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Thursday, September 28, 2006 4:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Jabber and AD authentication The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Reset Password GUI Issue
try this; http://support.microsoft.com/kb/832481/ User must change password at next logon check box is unavailable - Original Message - From: Steve Evans [EMAIL PROTECTED] To: 'ActiveDir.org' ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 12:44 PM Subject: [ActiveDir] Reset Password GUI Issue For our student accounts I remove the default ACE for Authenticated Users (because of FERPA, which is a federal student privacy act). Then a group has been delegated rights to reset their passwords and force a password change at next logon, as well as restoring the read general, public, personal, permissions, and web information (like Authenticated Users normally has). Using ADUC one of these admins with delegated rights can reset the password, but the checkbox for force password change at next logon is greyed out. If the admin then opens the account and goes to the Account tab they can check the force password change at next logon successfully. Anyone know what's going on? Steve Evans List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Lenovo Battery Recall
Lenovo Thinkpad battery recall. Please see link.. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovolndocid=BATT-LENOVO -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem with Active Sync
Ravi, Was it ever working? What version of ActiveSync are you using, and what of the devices (what OS)? The reason I ask is that we have an issue with ActiveSync v4.2 and Trend OfficeScan where they DO NOT play together with Windows Mobile 5.0 devices. No fix from Trend until later next year!!! Same (or at least similar) error to what you report. My $0.02 inc GST. themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Friday, 29 September 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem with Active Sync in this case how i can be sure if everything is good with my exchange configuration and nothing is wrong with OMA/OWA/ Active Sync. Is it possible to verify is my server configuration is ok or not. A few days back when users reported me this problem i looked at the error and that was authentication method problem. Which was later on rectified. in addition to that after resolving auth problem i was able to see items when i tried http://mail.domain.com/oma Domain\Username Password When this if fixed. do i need to check something else to make active sync work. Thanks!!! Ravi Dogra On 9/29/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, Last time i had this, I had to pin point the culprit by removing all the items and then re add them 1 by 1 synching between each item. It turned out to be a note that was corrupted I deleted it and then re added the notes to the sync and all went well after that. My 0.02$ (also, make sure your device is not connected to the pc when you boot the pc. When windows detect the device before active sync is started it screws things up a bit...) -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: September 28, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with Active Sync Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM bind Redirection with a NULL password
Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem with Active Sync
Yes it was working fine till 4 days ago. Suddently it stopped responding and gave some valid reasons which were rectified. Now i am not getting any errors. it keeps on looking for sync but nothing happens. No error, nothing. Device is a windows Mobile device. Antivirus is Sophos. But i dont think this will be an issue. since it was there when eveything was good. On 9/29/06, Molkentin, Steve [EMAIL PROTECTED] wrote: Ravi, Was it ever working? What version of ActiveSync are you using, and what of the devices (what OS)? The reason I ask is that we have an issue with ActiveSync v4.2 and Trend OfficeScan where they DO NOT play together with Windows Mobile 5.0 devices. No fix from Trend until later next year!!! Same (or at least similar) error to what you report. My $0.02 inc GST. themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Friday, 29 September 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem with Active Sync in this case how i can be sure if everything is good with my exchange configuration and nothing is wrong with OMA/OWA/ Active Sync. Is it possible to verify is my server configuration is ok or not. A few days back when users reported me this problem i looked at the error and that was authentication method problem. Which was later on rectified. in addition to that after resolving auth problem i was able to see items when i tried http://mail.domain.com/oma Domain\Username Password When this if fixed. do i need to check something else to make active sync work. Thanks!!! Ravi Dogra On 9/29/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, Last time i had this, I had to pin point the culprit by removing all the items and then re add them 1 by 1 synching between each item. It turned out to be a note that was corrupted I deleted it and then re added the notes to the sync and all went well after that. My 0.02$ (also, make sure your device is not connected to the pc when you boot the pc. When windows detect the device before active sync is started it screws things up a bit...) -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: September 28, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem with Active Sync Hi All, I am facing problems while trying to sync my PPC. I receive error stating syncronization failed and support code is 80004004. I was facing some other problems with my active sync and oma which were rectified by changing authentication methods to not allowing anonymous and enabling Windows integrated and basic authentication. However i am doubting on my Active Sync. I think there is something wrong with it and i have no clue... This is really urgent -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM bind Redirection with a NULL password
One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
It is a good article with good analysis. I do think it would be a useful feature to have a bit to flip for simple bind to be forced to fail with blank password, even though this would go against the RFC spec. I also think it is interesting that since ADAM is actually doing some sort of secure authentication to AD, this bind attempt does actually up the bad pwd count and can result in user lockout. Another scenario that is interesting with blank passwords is that potentially an ADAM or AD user could have an actual blank password. It then becomes very difficult to tell them apart from a bind attempt. I remember Dmitri discussing this on the newsgroups a ways back, although as I recall, he seemed to believe this was an inevitable consequence of the spec. Besides the DCR, I think all you can do is validate on the application side (but you already knew that). Joe K. - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 7:53 PM Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Joe, I forgot to mention on the article (Which I updated): - I forgot to mention, I had thought to myself Did I somehow enable anonymous binds and forget?, since part of the design was to not-allow anonymous. I did check the config entry as outlined in the ADAM FAQ: ADAM does not accept anonymous bind requests by default. To enable anonymous LDAP operations in ADAM, you must set the seventh character of the dsHeuristics value to 2. This indeed was set to NOT allow anonymous binds, which based on the wording I would assume mean that anonymous binds would be rejected. In actuality, an anonymous bind is a SUCCESS, but you can't enumerate the directory structure from that point on. Perhaps the wording should be changed to reflect this? - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:58 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password It is a good article with good analysis. I do think it would be a useful feature to have a bit to flip for simple bind to be forced to fail with blank password, even though this would go against the RFC spec. I also think it is interesting that since ADAM is actually doing some sort of secure authentication to AD, this bind attempt does actually up the bad pwd count and can result in user lockout. Another scenario that is interesting with blank passwords is that potentially an ADAM or AD user could have an actual blank password. It then becomes very difficult to tell them apart from a bind attempt. I remember Dmitri discussing this on the newsgroups a ways back, although as I recall, he seemed to believe this was an inevitable consequence of the spec. Besides the DCR, I think all you can do is validate on the application side (but you already knew that). Joe K. - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 7:53 PM Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List
Re: [ActiveDir] ADAM bind Redirection with a NULL password
I agree, the documentation is misleading. They should say that anonymous searches aren't allowed. Joe K. - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:24 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Joe, I forgot to mention on the article (Which I updated): - I forgot to mention, I had thought to myself Did I somehow enable anonymous binds and forget?, since part of the design was to not-allow anonymous. I did check the config entry as outlined in the ADAM FAQ: ADAM does not accept anonymous bind requests by default. To enable anonymous LDAP operations in ADAM, you must set the seventh character of the dsHeuristics value to 2. This indeed was set to NOT allow anonymous binds, which based on the wording I would assume mean that anonymous binds would be rejected. In actuality, an anonymous bind is a SUCCESS, but you can't enumerate the directory structure from that point on. Perhaps the wording should be changed to reflect this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Yes, I can see that Windows SASL binds might not be universally available ;-) Thinking about it, another problem with the SASL binds is that presumably the ADAM instance must be running on a server that is a member of the authenticating AD domain (or at least one that has a trust back to the authenticating domain). This would limit it's usefulness in extranet scenarios because of the ports that would have to be opened between ADAM and AD (assuming they are on opposite sides of a firewall). Tony -- Original Message -- From: Joe Kaplan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 22:12:34 -0500 The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Tony, I have to wonder what is classified as a special circumstances, since I suppose they are all sort of special. I have used Bind Redirection with MIIS/IIFP for quite a few scenarios: Corportate Spinoff: We needed to split off a portion of our users into a new company, and an entirely new forest. To solve the issue of apps only binding to a single NC, we used MIIS to populate an ADAM instance that contained active users from both forests during the TSA. Corporate Acquisitions: Similar situation, where we needed to combine users into a single NC. Having more than 1 user domain, and an app that can ONLY bind to a single Domain/NC. Custom Schema extensions for an application that is not an enterprise class application. You may not want to extend AD for a small subset of users. Extend the ADAM schema for the application, but proxy the user authentication back to the main AD. It also helps with audit and compliance, where you are really only managing a single user principle, but proxying apps to it. Unfortunately, LDAP seems to be the defacto standard for applications. With that, simple bind seems to be the way of choice. I would say, many are Java apps where I think someone wrote a howto many years ago, and I keep seeing the same thing come in as Authentication. Some big name apps from Lotus/IBM, Documentum all have/had issues with only pointing to a single NC, so I don't want to say it's only smaller developers. Many of the companies I've worked at, have had more than a single domain, so I am surprised that so many enterprise apps assume a single NC for authentication. I can't solve the problems at the app level, but I try to solve it at the centralized directory level. Thanks, Jef - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Joe, FCB works with simple binds, and BR ONLY works with simple binds, so I suppose it's possible. I've never coded to try however, but I could check it out. Jef - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:12 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection.
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Tony, I have a workshop next week with a vendor to discuss an extranet solution. Unfortunately, LDAP auth is not going to be possible, since there will be no communication across the firewall. I am steering them toward an ADFS solution, which I think will fit the bill better. The issue will be, that it will require a 3rd party middleware to make work, which I am not sure they will be thrilled about. Thanks for the thoughts on this. Glad to know I'm not the only one struggling with bad apps! ;) Jef - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:57 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Yes, I can see that Windows SASL binds might not be universally available ;-) Thinking about it, another problem with the SASL binds is that presumably the ADAM instance must be running on a server that is a member of the authenticating AD domain (or at least one that has a trust back to the authenticating domain). This would limit it's usefulness in extranet scenarios because of the ports that would have to be opened between ADAM and AD (assuming they are on opposite sides of a firewall). Tony -- Original Message -- From: Joe Kaplan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 22:12:34 -0500 The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Yep, that's definitely true, although domain membership is also required to do bind proxy auth as well. In a lot of these scenarios, the firewall is configured so that only LDAP ports are open to ADAM from the application, but the ADAM server has the necessary firewall ports open for domain membership. In some cases, ADAM can actually go inside the DMZ, with just the app server in the DMZ. There are lots of options. :) There are so many useful scenarios for Microsoft app servers that essentially require Internet facing web servers to be domain members (SharePoint, etc.) that I'm guessing people are used to opening domain membership ports through the DMZ firewall anyway. I'm embarassed to admit that we have numerous holes in our firewalls allowing third parties to hit our DCs directly via LDAP for auth (SSL LDAP, yes, but still LDAP). Sure, the firewall rules only allow traffic from specific IP addresses, but it is still way icky. One of the reasons I'm so interested in ADFS is to help stomp out these monstrosities as soon as possible, but it will take a long time before all the vendors support federation, all the scenarios are covered and we actually have the IT budgeting priorities in place to make the necessary changes on our end. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:57 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Yes, I can see that Windows SASL binds might not be universally available ;-) Thinking about it, another problem with the SASL binds is that presumably the ADAM instance must be running on a server that is a member of the authenticating AD domain (or at least one that has a trust back to the authenticating domain). This would limit it's usefulness in extranet scenarios because of the ports that would have to be opened between ADAM and AD (assuming they are on opposite sides of a firewall). Tony -- Original Message -- From: Joe Kaplan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 22:12:34 -0500 The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where
