Fw: (RADIATOR) Windows 2000 ADSI Authorization

[Michael Audet]

----- Original Message ----- From: Michael Audet To: Michael Audet Sent: Friday, February 23, 2001 2:22 PM Subject: Re: (RADIATOR) Windows 2000 ADSI Authorization Update:   Well.. I fixed my Authentication problem with Windows 2000.  It would help if the secret key I was using for testing matched that of the RadPwTst utility.  *duh*   I also had to change the domain policy to stop Password History from occuring.  This way a user can change their password to itself for the authorization to occur.  This should be noted in the FAQ or <AuthADSI> documentation.   ---- Just a quick thought on the ADSI authentication process. Why have the user change their password to prove authentication when I believe you can prove a user is really him or her during the ADSI OpenDsObject process.  Let me quote the MS documentation:   >>> Authentication In ADSI, credentials consisting of a user name and password allow system software to authenticate the identity of a user during the initial system login. Use IADsOpenDSObject::OpenDSObject or the helper function ADsOpenObject to establish a user's credentials for a directory service. If you don't use OpenDSObject, ADSI uses default credentials. Once the system authenticates the user, the user is free to make requests for system resources, access to file shares, and file permissions, as supported by the underlying directory service's security requirements. The following examples show the use of the OpenDSobject method on different directory services: Dim MyNamespace As IADsOpenDSObject Set MyNamespace = GetObject("LDAP:") Set X = MyNamespace.OpenDSObject(DN, UserName, Password, Flags) Reference this MS document: http://msdn.microsoft.com/library/psdk/adsi/ds2prggd_97la.htm     According to this document you should be able to use the Users Name and Password in the AuthADSI.pm file OpenDsObject.  If you do not get the error message of "Could not get user object" then the given user name and password matches that of the user you are requesting authorization on.  I believe a user can look at his or her own logon hours and attributes....*But...I may be wrong*.   So by replacing the " $self->{Password}," code with "$password"   and changing code after that... you should be able to skip the whole "ChangePassword" routine.  If this actually works it could speed up authorization.   my $ouser = $ons->OpenDSObject($bindstring,                                 $self->{Username},                                 $self->{Password},    #Change this to $password  ???                                 1); # ADS_SECURE_AUTHENTICATION if (!$ouser) { $self->log($main::LOG_DEBUG, "Could not get user object: " . Win32::OLE->LastError()); return ($main::REJECT, 'Could not find user'); }     Anyway... Back to working on my Radius  :)   -Michael Audet Network Services Chubb & Son [EMAIL PROTECTED]   ----- Original Message ----- From: Michael Audet To: [EMAIL PROTECTED] Sent: Friday, February 23, 2001 10:40 AM Subject: (RADIATOR) Windows 2000 ADSI Authorization Hello everyone...       I am currently evaluating the Radiator product for use on our Windows 2000 domain that is currently using Active Directory to store information.  Has anyone successfully used Radiator on 2000 with AD to authenticate users?   The reason I ask is that I created a few users on my domain and have been unsuccessful when trying to authenticate them.  I was getting errors about logon times but I found out that I couldn't use the "Administrator" account as a test user because you cannot control an Administrators logon hours.  So I created another administrator on the domain and tried to authenticate that user.   The error message I get is that "The specified network password is not correct".  I know the password is correct because I can logon as that user.  The only thing I can think of is that the ChangePassword routine does not work correctly under 2000.    Another question I have is:  Does the user require "Logon Locally" rights applied to them?  This is why I made the user an administrator for testing so I didn't have to mess with Local Policies to allow for local logon.     I am using a basic config like the one below to test with the RadPwTst:   <Client DEFAULT>     secret secretkey </Client>   <Realm DEFAULT>     <AuthBy ADSI>         BindString LDAP://sentry2.chubb.com/CN=%n,CN=Users,DC=sentry,DC=chubb,DC=com           Username administrator         Password mypassword           </AuthBy> </Realm>     As you can see there is nothing fancy going on..   If anyone has any information on making this work on 2000 and Active Directory please reply or drop me an email.     Thanks again,   Michael Audet Network Services Chubb & Son [EMAIL PROTECTED]