If I add a Windows user account to an ADAM group under the members attribute. Can I authenticate this user by binding to ADAM? Will the username and password submitted via LDAP be used by the Active directory server to authenticate against AD and return as a windows principal in a search result? Is this kind of referral thing automatically handled by ADAM? Is this the "authentication request referral" - described in the diagram in ADAM help file? Thanks for reading.

You can authenticate to ADAM as a windows user even if you don't add him to
any ADAM groups. Just make sure you use secure authentication.

ADAM forwards such authentication requests to the OS. Thus, you can
authenticate as a local user, or as a domain user, or as a trusted
domain/forest user. If you can logon to ADAM machine as this user, then you
will be able to bind to ADAM as this user. ADAM does not need to know
anything about this user.

Now, you can bind, but you may be unable to read anything in ADAM. That's an
authorization issue. If you want your Windows user to be able to read stuff
in ADAM, add him to an appropriate group. Or grant him permissions directly
using dsacls.

One easy way to allow read access to ADAM is to add
NTAUTHORITY\Authenticated Users to Readers group in ADAM. This automatically
covers all windows users, as well as all ADAM users.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"CY" <anonymous@discussions.microsoft.com> wrote in message
news:E2A92270-1197-4788-8B9B-268CAA29BBD2@microsoft.com...
username and password submitted via LDAP be used by the Active directory
server to authenticate against AD and return as a windows principal in a
search result? Is this kind of referral thing automatically handled by
ADAM? Is this the "authentication request referral" - described in the
diagram in ADAM help file? Thanks for reading.

Hi Dmitri,

In order to add ADAM is to add NTAUTHORITY\Authenticated Users to an ADAM
group, do you have to create an FSP for that SID first and add the FSP or is
that already done in ADAM or is there an easy way to do it automatically?

Thanks. Just now getting my feet wet with ADAM...

Joe K.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:uosR4d$3DHA.2468@TK2MSFTNGP09.phx.gbl...

FSPs are created automatically by ADAM (and AD does this too). What you need
to do is update group membership, adding a new member specified as
"<SID=S-1-5-XXX-XXX-XXX-XXX>" (without quotes, with angle brackets). Or you
can use ADAM-ADSIEdit to add a windows principal to the group -- it does
exactly this behind the scenes.

Authenticated users is S-1-5-11 btw. And you can not create FSPs manually --
you are not allowed to create objects with SIDs (with the exception of bind
proxies).

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:O7crJND4DHA.360@TK2MSFTNGP12.phx.gbl...

Excellent. Thanks a bunch.

For some reason I thought it was ADSI and the IADsGroup interface that did
the work of creating the FSP if you add a SID to a group member instead of a
DN. It is much easier if you can modify member directly and get the same
functionality. I just tried it and it worked with no issues.

Joe K.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:emIcdIG4DHA.2380@TK2MSFTNGP09.phx.gbl...