 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / October 2005What is DirectoryServices.AuthenticationTypes.None
AuthenticationTypes.None is the default authentication type for DirectoryEntry. But, what does "none" actually mean??? When I set it, the system still seems to be authenticating with the credentials of the calling thread. Does that mean that AuthenticationTypes.None equals AuthenticationTypes.Secure in practice? Or does it mean something different, and if so, what? It is supposed to mean to use LDAP simple bind. However, if you leave the username and password null, ADSI will go ahead and try to do a Secure bind (GSS-SPNEGO SASL bind in LDAP terms) with the current thread's identity. If you supply username and password (or put in "" instead of null), it will actually try a simple bind (plain text username and password on the network). In general, you probably shouldn't be using simple bind with AD if you can avoid it and you should generally never use it without also using SSL/LDAP to encrypt the channel as it is insecure. However, it is useful (and in some cases necessary) with ADAM and non-AD directories that don't support the GSS-SPNEGO as a SASL mechanism. HTH, Joe K. > AuthenticationTypes.None is the default authentication type for > DirectoryEntry. But, what does "none" actually mean??? [quoted text clipped - 4 lines] > Or > does it mean something different, and if so, what? Thanks Joe. > It is supposed to mean to use LDAP simple bind. However, if you leave the > username and password null, ADSI will go ahead and try to do a Secure bind > (GSS-SPNEGO SASL bind in LDAP terms) with the current thread's identity. Is that behaviour (the fact that it does something different from what you asked, if the credentials are null) documented? I.e. can we rely on it - when working against Active Directory, can we rely on the DirectoryEntry(string) constructor to result in a secure bind (since that constructor defaults credentials to null and Authentication type to none)? > If you supply username and password (or put in "" instead of null), it will > actually try a simple bind (plain text username and password on the > network). If you put "" in instead of null, what does it send over the network? Does it send "" for username or password, or the real username and password of the calling thread's identity? > HTH Yes, it was extremely helpful. Before posting I looked for the info for ages and couldn't find it anywhere. John Inline: > Thanks Joe. > [quoted text clipped - 3 lines] > DirectoryEntry(string) constructor to result in a secure bind (since that > constructor defaults credentials to null and Authentication type to none)? I'm not sure if it is documented, but it is the way it works. ADSI is very geared towards using the current thread credentials when possible and a lot of people are used to just calling GetObject(LDAP://xxxx) in their scripts. When used that way, the underlying system passes null for the username and password. However, I have no idea why S.DS chooses to ignore the AuthenticationTypes.None in this case. > If you put "" in instead of null, what does it send over the network? > Does > it send "" for username or password, or the real username and password of > the > calling thread's identity? If you put in "", it sends a null DN and password and use AuthenticationTypes.None in the simple bind. The easiest way to see this for sure is to use a packet sniffer. It will do something similar if you do Secure, except that it uses a different binding technique. My overall recommendation with S.DS.DirectoryEntry is to alway use the 4 parameter constructor and be explicit with what you want. You can't go wrong that way and it makes it easier for someone reading your code to know what you intended. All of the samples in my (hopefully done soon) book look like that. Here are some concrete examples: new DirectoryEntry("LDAP://rootDSE", null, null, AuthenticationTypes.Secure); (does Secure/SSPI bind with current thread's identity) new DirectoryEntry("LDAP://rootDSE", "dom\user", "pass", AuthenticationTypes.Secure); (does Secure/SSPI bind with hard-coded credentials; no plain text creds sent over the wire) new DirectoryEntry("LDAP://rootDSE", null, null, AuthenticationTypes.None); (mysteriously does a Secure bind with current thread credentials, even though None is specified; head-scratcher) new DirectoryEntry("LDAP://rootDSE", "dom\user", "pass", AuthenticationTypes.None); (does LDAP simple bind with plain text password sent to server; not secure unless encrypted with SSL, IPSEC, etc.!) new DirectoryEntry("LDAP://rootDSE", "dom\user", "", AuthenticationTypes.None); (here's a wierd one! Does a simple bind with blank password. No error is returned because LDAP spec says that this must always succeed as an anonymous login. However, you won't actually be bound to the directory and won't have rights to search anything by default in AD!) The last one is particularly important because sometimes people use LDAP for authentication and use simple bind for whatever reason. The bottom line here is that if you don't prevalidate for null passwords, you can get misleading results. Joe K. Thanks Joe. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.