Results 1 to 2 of 2

Thread: MS ADAM authentication with Java app - can authenticate with local ADAM accounts; CANNOT authenticate with proxy accounts sync'd from AD domain

  1. #1
    Join Date
    Feb 2010
    Posts
    1

    MS ADAM authentication with Java app - can authenticate with local ADAM accounts; CANNOT authenticate with proxy accounts sync'd from AD domain

    We are having an issue where we cannot authenticate to our Java app with the proxy accounts sync'd from our parent AD domain.

    [our environment]
    We have an OU within an AD environment, which we have limited rights. In order to maintain security, we stood up a ADAM environment for our internet-facing Java(JBoss) web application. Local accounts in ADAM are for our vendor. We perform ADAMsync to grab the proxy accounts from our AD OU.

    [how we have designed it on paper to work]
    We have had success with local ADAM accounts. However, we have failed at each login attempt while attempting to use proxy accounts. We did notice that the Java app was coded to use the CN attribute. Furthermore, we noticed that CN=login ID with our local ADAM accounts, per our setting...which differed from the sync'd proxy accounts where CN=First Name, Last Name....obviously this wouldn't work(character limits in login field of app)...so we changed the Java(JBoss) code to use the samAccountName attribute, which is a matched login ID on both sides(ADAM/AD). This still failed. We even attempted to bind using samAccountname attribute during our Adamsync but could not. Lastly, we attempted to use the UserPrincipalName attribute...but that failed as well.

    What are we missing guys?!

    Please help.

  2. #2
    Join Date
    May 2009
    Posts
    511

    Re: MS ADAM authentication with Java app - can authenticate with local ADAM accounts; CANNOT authenticate with proxy accounts sync'd from AD domain

    The API access to LDAP is in Javas (since version 1.3) with the package javax.naming and javax.naming.directory. And for authentication, you must create a person object in the directory that contains several attributes including Uid and Password. You can use standard LDAP predefined classes such as class person or a derived class. If your LDAP directory will not do you as an app, you can store the rights directly as an attribute (multivalued) of your person object.

Similar Threads

  1. Replies: 3
    Last Post: 01-03-2012, 08:48 PM
  2. ADAM Kerberos Authentication issue and missing SPNs
    By mbenson in forum Active Directory
    Replies: 2
    Last Post: 15-02-2012, 11:32 AM
  3. AD fails to authenticate some computer accounts
    By Tom in forum Active Directory
    Replies: 4
    Last Post: 21-09-2010, 04:07 PM
  4. Replies: 2
    Last Post: 22-07-2009, 11:55 PM
  5. AD to ADAM sync issues
    By ahertenstein in forum Active Directory
    Replies: 11
    Last Post: 14-11-2008, 04:44 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,718,297,679.93866 seconds with 17 queries