Re: [ActiveDir] WinNT ADSI provider

Tue, 17 Oct 2006 19:03:04 -0700

One thing to keep in mind is that ADSI is not good for authentication in general as it has scalability issues. If the application must support many simultaneous users, it will likely blow up. I've seen this happen many times. If one must use LDAP auth, it is better to do it directly against the LDAP API, as you can manage the connection that way and won't run out of wildcard ports. Unfortunately, VB6 doesn't have a good LDAP API wrapper that I know of (except ADSI, which is the problem in this case).
I think the WinNT provider is a bad idea, as it is notorious for having problems when using OpenDSObject with credentials in general. I wouldn't do it. 


FWIW, System.DirectoryServices in .NET is just an ADSI wrapper and has the 
exact same problem.



If they can't use integrated auth (or Basic/SSL for that matter) and you 
must do forms auth in code, calling the LogonUser API is the best way to go. 
This may be possible in VB6 (haven't tried; cake in C++ or .NET) and will 
work fine as long as the web server is a domain member.



I dislike vendor apps that require logon security but don't provide a nice 
pluggable model to insert different mechanisms into the pipeline.  It is 
such a common thing to have to do, and not having this nicely abstracted so 
they can be flexible in their clients' environments is silly.  Soapbox off. 
:)


Joe K.



----- Original Message ----- 
From: "Isenhour, Joseph" <[EMAIL PROTECTED]>

To: <ActiveDir@mail.activedir.org>
Sent: Tuesday, October 17, 2006 6:40 PM
Subject: RE: [ActiveDir] WinNT ADSI provider


Oh ya, duh.  Good point.

Do you think that one is better than the other?  I agree they are both
bad options.  The app runs on IIS so using integrated auth would be
soooo easy; however, it requires more code changes on their end and they
are trying to get this done for regulatory compliance reasons.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 17, 2006 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinNT ADSI provider

You don't have to do an LDAP query first.... You can bind in LDAP with
domain\user, UPN, or DN  and just ask for a well known object, say the
domain head or config head, etc.

I still think either one is a poor authentication mechanism though.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, October 17, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinNT ADSI provider

Not having to do an LDAP query prior to connecting to the user.  So they
will not have to store a lookup account and baseDN type info.  I think
that adding the LDAP features is pretty simple, but I don't want to make
them do it if it's not necessary.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, October 17, 2006 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinNT ADSI provider

What simplicity will this offer?

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, October 17, 2006 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinNT ADSI provider

I have a customer who wants to write their authentication DLL using

the

WinNT ADSI provider instead of LDAP provider for simplicity.  Does
anyone know if there will be any supportability issues with this

option

going forward?  Is Longhorn going to support it?

BTW, the app is written in vb6 so System.DirectoryServices is out.

Thanks

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx






















					Reply via email to