You mentioned "Windows user". You can't get rid of AD if you plan to keep
using Windows users. You can use ADAM to store some app data (even about
users), but you still need AD as the user store. ADAM supports
authentication of windows users (by forwarding auth requests to the OS).
If you need "nice audit logs" etc, then you need windows users. If you want
to auth with a client cert, you need to use windows users. Only simple bind
auth is supported for ADAM users. OS and IIS know nothing about ADAM and
ADAM users, thus they can't log ADAM users names.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Eric and Dmitri,
I am really new to this (just found out about the AD/AM bit recently).
Prior to that, I was very happy (dumb, but happy
), getting AD,
Certificate Server, and IIS all working together nicely.
As some background (maybe somewhat redundant), I had things setup and
working so that I could issue/install client certs into client machines
using the Certsrv, and then had clients doing secure SSL connection with
IIS, and then had the session running/logged under the appropriate
Windows user name via the Active Directory Mapper.
In addition just the user authentication aspect of all this, since the
mapping to Windows users works the way it does, we got a nice audit
trail (in the IIS logs) of activity-by-individual-user.
Now, with the introduction of AD/AM into all of this (or replacement of
AD by AD/AM, I think), I'm trying to understand how to "replicate" the
functionality described in the above paragraph.
If I'm understanding your (esp. Dmitri's comments), if we move to
JUST/ONLY AD/AM, we should be able to still have the client
authentication functionality (since that's built-in to IIS, I guess),
but we wouldn't be able to have IIS impersonate a Windows user (at least
not without some ASP additional code specifically for this?).
And, more to the point, we wouldn't be able to JUST CONFIGURE IIS in
such a way that it would include the user name of the Windows user (that
is associated with the authenticated client certificate) in the IIS
logs. It seems like, in order to accommodate this, we'd have to
implement/incorporate our own (ASP) application-level logging.
Is my understanding of your comments accurate/correct?
Thanks again in advance!!!
:
One thing to add: you can not impersonate an ADAM user in windows, so
none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to
access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to
access
data in ADAM -- but then you can't ACL adam objects for different adam
users..
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
(Cross posting to the 2003 AD newsgroup as that's typically where we
find
ADAM posts)
It's tough to answer this in a quick post without doing a copy/paste
of
the
white paper, but a few thoughts off of the top of my head:
1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas
for
each domain you had you would need at least one server (DC) to host
it.
3) ADAM has bind redirection which is nice for some applications.
On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients
joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of
ADAM
with
ADAM users. So if you had an ADAM user and wanted to grant them access
to
a
file, strictly speaking, you can't do that. You would want AD for
that.
From a pure LDAP/ADSI perspective, you'll find them similar I think.
Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the
recommended
ADAM
useage scenario's.
~Eric
--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights
Hi,
I have a Win2K3 Server system setup now, with IIS, Active Directory,
and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing
client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).
Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean
installation
of Win2K3 Server.
I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint
(both
administration and usage), what kinds of things will work
differently
when I use AD/AM vs. "regular" AD?
This would be for (purely) running a secure website (under IIS).
Thanks in advance!!!
, but the situation is that