[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 304
  • Last Modified:

Application authenticating and pulling info from Active Directory


We have an application that will be connecting to our Active Directory for a couple of reasons:

i. Authenticating users via their AD username
ii. Checking certain attributes fo users, e.g. their email address
iii. Checking group membership of users

The application itself has been developed by a third party vendor so I'm not entirely sure how it will work, but we they will be testing with us in a few months. Our AD environment is actually a bit complex in that we utilise a resource forest for Exchange 2007 (RES) and also a authentication for user accounts (AUTH). The application may have to pull info from either forest

I had some questions in the meantime to help me understand more about this:

1. For the checking of user attributes/ checking group membership, should the application be making LDAP requests on port 389? Or GC requests on port 3268.

2. For authentication, the app will have to pull password credentials from the AUTH forest. How would this work? I assume the actual user password is stored in a format that is not readable?

3. For authentication, what sort of query would the application be running against AD?

4. How is Kerberos/ NTLM involved here? And which one should we be using?
1 Solution
Mike KlineCommented:
Do you know what language/platform the application will be written in?  If you do I'll add that zone and the application developers will also help out.

They can query port 389 in your auth forest that is where your accounts are.  They would be using kerberos and you are right the passwords are not readable in AD.  

Example using .NET   http://it.toolbox.com/blogs/programming-life/integrating-your-net-app-with-active-directory-server-8655

Example with Java   http://stackoverflow.com/questions/390150/authenticating-against-active-directory-with-java-on-linux

I'm not a developer so that is why I want to add some zones for you...don't want to blow smoke :)

As the AD admin what you should need to provide is port number, usually a LDAP path/DN to your directory.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now