Application authenticating and pulling info from Active Directory

Posted on 2012-08-19
Last Modified: 2012-09-04

We have an application that will be connecting to our Active Directory for a couple of reasons:

i. Authenticating users via their AD username
ii. Checking certain attributes fo users, e.g. their email address
iii. Checking group membership of users

The application itself has been developed by a third party vendor so I'm not entirely sure how it will work, but we they will be testing with us in a few months. Our AD environment is actually a bit complex in that we utilise a resource forest for Exchange 2007 (RES) and also a authentication for user accounts (AUTH). The application may have to pull info from either forest

I had some questions in the meantime to help me understand more about this:

1. For the checking of user attributes/ checking group membership, should the application be making LDAP requests on port 389? Or GC requests on port 3268.

2. For authentication, the app will have to pull password credentials from the AUTH forest. How would this work? I assume the actual user password is stored in a format that is not readable?

3. For authentication, what sort of query would the application be running against AD?

4. How is Kerberos/ NTLM involved here? And which one should we be using?
Question by:neil4933
    1 Comment
    LVL 57

    Accepted Solution

    Do you know what language/platform the application will be written in?  If you do I'll add that zone and the application developers will also help out.

    They can query port 389 in your auth forest that is where your accounts are.  They would be using kerberos and you are right the passwords are not readable in AD.  

    Example using .NET

    Example with Java

    I'm not a developer so that is why I want to add some zones for you...don't want to blow smoke :)

    As the AD admin what you should need to provide is port number, usually a LDAP path/DN to your directory.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now