- Accessing LDAP to connect to ADAM instance
- Posted by SRK on February 11th, 2004
I am planning on using Active Directory for authentication and use
ADAM to retrieve Application info. I created a ADAM instance with
instnace name AdamInstance and as a first step tried to authenticate
against it and I encountered error, ADAM instance is running on Port
50000 with my user-id defined in Active Directory using LDAP in Java.
Here is the code
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.j ndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.5.2.1:50000");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=srk,
dn=AdamInstance,DC=CORP,DC=MyCompany,DC=NET");
env.put(Context.SECURITY_CREDENTIALS, "Hyderabad8");
try {
InitialDirContext ctx= new InitialDirContext(env);
} catch (NamingException e) {
System.out.println("Operation failed: " + e.getMessage());
e.printStackTrace();
}
Here is the LDAP error and stack trace.
Operation failed: [LDAP: error code 49 - 80090304: LdapErr:
DSID-0C090311, comment: AcceptSecurityContext error, data 20ee, vece
Please let me know what the problem is.
- Posted by Dmitri Gavrilov [MSFT] on February 11th, 2004
The username looks wrong. Did you create this user in ADAM?
cn=srk,dn=AdamInstance,DC=CORP,DC=MyCompany,DC=NET
Can you connect with LDP and find this user?
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <schalla@citistreetonline.com> wrote in message
news:24ba6b4c.0402111211.69673b49@posting.google.c om...
- Posted by Dmitri Gavrilov [MSFT] on February 11th, 2004
That's not what I have asked...
What user are you trying to bind as? Is this a Windows user or an ADAM user?
If this is a Windows user, then you MUST use secure LDAP bind, and
"domain\username" or "username@domain.com" as the username. This means you
can not use
env.put(Context.SECURITY_AUTHENTICATION, "simple");
Unfortunately, I don't know this java package to tell you what you have to
set this value to.
If this is an ADAM user, then you MUST use simple LDAP bind, and full ADAM
user DN as the username. But you have to create this ADAM user first. You
can use LDP to do this.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:F52408CE-32B5-4CCE-9188-A6D975939AE9@microsoft.com...
- Posted by Dmitri Gavrilov [MSFT] on February 12th, 2004
In this case, you don't need a user in ADAM. You can bind to ADAM as this
windows user, and ADAM does not need to contain any info about him.
Just make sure you are using a secure bind/authentication type.
Now, once you manage to bind successfully, you will need to give SRK (the
windows user) permissions to read data in ADAM. The simplest thing is to add
him to Readers (or Admins) group. Or you can add some windows group that he
belongs to, or even NT AUTHORITY\Authenticated Users. If you need to setup
more granular access control, use dsacls tool.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:A7DB2F1D-DE07-418F-8A27-0DE1ACB85BA9@microsoft.com...
against AD and get all the attributes for that user.
as SIMPLE and method as SIMPLE and key in the password the Bind fails
question is what is the common key between AD and ADAM and how would I
access ADAM with LDAP.
- Posted by Dmitri Gavrilov [MSFT] on February 12th, 2004
You can create objects in ADAM and link them to AD users, using AD's user
objectGuid as a key to relate them.
Another option is to use bindProxies. They are described well in ADAM docs.
When you bind to ADAM as a windows user, you connect to ADAM's port (50000)
using secure bind mechanism (kerberos or ntlm or whatever else is available,
as long as it is not a simple bind), and pass windows user's credentials. No
need to talk to AD separately. ADAM forwards the auth request to the OS for
you.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:98BE879D-A79A-4373-95EB-D2F0A0964E1E@microsoft.com...
use a "secure bind/authentication type" does it mean I have to SSL or MD5
mechanism?
- Posted by SRK on March 3rd, 2004
I am trying to bind to ADAM running on Port 50000 and am getting LDAP Error 49 (Authentication Failure). I am Kerberos and GSSAPI for authentication. I am able to connect to AD running on Port 389 and retrieve the attributes but not to Port 50000 where ADAM is running. In ADAM I have added Windows Account to member properties in Users in Roles and also in Readers and Administrators
env.put(Context.PROVIDER_URL, "ldap://172.29.224.6:50000/CN=Users,CN=Roles,CN=CitiStreet,DC=corp,DC=citistr eet,DC=net"); throws an error
env.put(Context.PROVIDER_URL, "ldap://172.29.224.6:389"); goes thru fine and was able to retreve attributes for a user
Am I doing anything wrong, please share your ideas on what I could do to fix the authentication to ADAM
Thank
Siv
- Posted by Dmitri Gavrilov [MSFT] on March 3rd, 2004
You are binding as a windows user, right? ADAM users can only bind with
ldap_simple_bind.
If you require Kerb, then you should make sure ADAM has successfully
registered its SPNs in AD. Check for warnings in the system log for clues.
Oh, btw, if you are running ADAM on a DC under NetworkService or LocalSystem
svc account, then you are out of luck. The DC will whack all non-DC spns
from its computer account.
If you are running ADAM as a domain user then I believe you need to modify
permissions on the account to allow it to register SPNs. There should be
some info on that in ADAM help.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news
2B81F19-C740-4B69-87F3-291599ADA14F@microsoft.com...
authentication. I am able to connect to AD running on Port 389 and retrieve
the attributes but not to Port 50000 where ADAM is running. In ADAM I have
added Windows Account to member properties in Users in Roles and also in
Readers and Administrators.
reet,DC=net"); throws an error
- Posted by SRK on March 3rd, 2004
I have added Windows Accounts to member attribute in User Properties in Roles. I found the accounts I added showed up in CN=ForeignSecurityPrincipals. Is this the correct way of adding Windows Accounts to ADAM? If it is not correct way please let me know the correct procedure. ADAM documentation suggests user to run a dnsdomainname batch script to add ADAM SPN to AD. I don't see that script in ADAM installation directory at all
Is there a way for me to create ADAM SPN's and add them to AD automatically
Thank
- Posted by Dmitri Gavrilov [MSFT] on March 3rd, 2004
Yes, Windows principals show in ADAM as FSP objects.
Check ADAM event log and see if there are any complaints about registering
SPNs. Note that in order to do kerb auth, ADAM must be running using a
domain account or network service. In AD, find the account that is used to
run ADAM (either the domain account or computer account if running as
network service), and check if it has servicePrincipalName values.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:3389BCC8-71A3-41DB-8EA9-78F49082B8E2@microsoft.com...
CN=ForeignSecurityPrincipals. Is this the correct way of adding Windows
Accounts to ADAM? If it is not correct way please let me know the correct
procedure. ADAM documentation suggests user to run a dnsdomainname batch
script to add ADAM SPN to AD. I don't see that script in ADAM installation
directory at all.
- Posted by Dmitri Gavrilov [MSFT] on March 4th, 2004
Hmm. So, SPNs appear to be in good shape.
Your next step would be to examine the system event log for clues. Check if
you have any LsaSrv warnings. Check on both client and ADAM machine.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:E8D7B9D9-D802-4D9F-BA26-2BB2D2EA972A@microsoft.com...
Administrator account the servicePrincipalName is not empty. I also don't
see any batch script in ADAM data directory to register SPNs manually.
- Posted by SRK on March 4th, 2004
I don't see any warnings in event log foro LsaSrv. The client is running on the same machine as ADAM.
- Posted by Dmitri Gavrilov [MSFT] on March 4th, 2004
So, the client, ADAM and DC are all on the same machine then? Interesting.
Try running the client on a different machine.
What account is the client running as? What is the exact error you are
getting? How do you bind? Show the code.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:43F27DA8-0313-4EB3-A859-FE5B6B606179@microsoft.com...
- Posted by Dmitri Gavrilov [MSFT] on March 4th, 2004
So, you are getting SEC_E_LOGON_DENIED... Is this user ok? Can you logon to
windows as this user?
Ok, try this -- don't use the IP address when connecting. Use the full dns
name of the computer, exactly as it appears in the SPN that ADAM registers.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:035354D8-39D7-4AFD-80F4-79E25C5D7428@microsoft.com...
nf=krb5.conf
gsskerb");
- Posted by SRK on March 5th, 2004
I can logon to windows with this user. If I connect to Acitve Directory running on Port 389, it goes thru fine and am able to retrieve all the attributes for that user. I tried replacing the IP Address with complete dns name and am still getting same problem
I am running out on ideas as to what may be wrong. Any ideas would be greatly appreciated
Thanks
- Posted by Dmitri Gavrilov [MSFT] on March 6th, 2004
Does this user have permissions to read the ADAM object? Can you get to the
data with LDP?
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"SRK" <anonymous@discussions.microsoft.com> wrote in message
news:E8F4959D-3982-42AE-A912-32BEC11B2315@microsoft.com...
attributes for that user. I tried replacing the IP Address with complete dns
name and am still getting same problem.
