User Authentication against NT Domain

Hi Expert
I want to code a program which ask for my user id and password and then
authenticate it from my NT domain, mean verigy that am I a valid user or not ? If yes then is my password correct ?
Any one who can give me some help to start ? I believe it can be done but I don't know how and what are the functions and libraries available to do so.
Any help will be appreciated.
Thanks
-- Kashif Ahmed
[email protected]

Create an intial context to the Directory Server using Basic Authentication. You will have to pass the username and password (which for ADS is userPrincipalName or domain\username). As long as you do not get an AuthenticationException then your user is "Authenticated". Just remember the security implications, the password is sent in plain text.

Similar Messages

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Non-domain user authentication against SSAS on Active/Passive Cluster

    Hello,
    We have an Active/Passive SQL Server setup (DB1 & DB2 Servers) connected to a cluster for SQL & SSAS.  I have a web server not on the same domain that I am trying to authenticate with SSAS.  This works OK if I set the website to impersonate
    myUser and I add local account myUser as an Admin on SSAS for the active server (DB1).  But when this fails over to DB2 then it fails to authenticate.  SSAS won't allow us to add myUser as an admin for local accounts on both DB1 & DB2 as it errors
    adding the second one.  Could anyone advise how such a scenario should be approached?
    We have tried creating a domain user too which DB1 & DB2 can of course both share but I don't think the web server can impersonate this with being not part of the domain.
    Thanks.

    Hi Jcorker,
    According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
    In SSAS we can use the solution below achieve the requirement.
    1.Create new domain account and impersonate the web site with that.
    2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
    However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
    create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
    Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
    http://technet.microsoft.com/en-us/library/cc961481.aspx
    Regards,
    Charlie Liao
    If you have any feedback on our support, please click
    here.
    Charlie Liao
    TechNet Community Support

  • User authentication against LDAP - Non-AD

    Hi,
    We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
    ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
    ldapAuthentication.enabled = true
    ldapAuthentication.tryNextProviderIfNoAuthenticated = true
    ldapAuthentication.stopIfCommunicationError = true
    ldapAuthentication.url=ldap\://localhost:389/
    ldapAuthentication.rootContext=DC=test,DC=com
    ldapAuthentication.securityPrincipal=CN=Directory Manager
    ldapAuthentication.securityCredential.encrypted=password
    ldapAuthentication.keepContextPrefix=false
    ldapAuthentication.isAD=false
    ldapAuthentication.userAccountSearchKey=CN
    ldapAuthentication.firstNameSearchKey=givenName
    ldapAuthentication.lastNameSearchKey=sn
    Still I am getting while I try to login to OIA as an OUD user:
    WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
    Please help

    Hi Jcorker,
    According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
    In SSAS we can use the solution below achieve the requirement.
    1.Create new domain account and impersonate the web site with that.
    2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
    However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
    create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
    Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
    http://technet.microsoft.com/en-us/library/cc961481.aspx
    Regards,
    Charlie Liao
    If you have any feedback on our support, please click
    here.
    Charlie Liao
    TechNet Community Support

  • Solaris 10 Ldap Client user authentication against edirectory

    Hello,
    We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
    I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
    Thanks
    ukgreenman

    I have a similar question.
    Did you have a solution ?
    thanks

  • Authentication against NT Domain

    Hi Expert
              I want to code a program which ask for my user id and password and then
              authenticate it from my NT domain, mean am I a valid user or not ? If yes
              then is my password correct ?
              Any one who can give me some help to start ? can a servlet do this all stuff
              for me ?
              Any help will be appreciated.
              Thanks
              -- Ali
              

              Hi,
              I am solving the same problem. There is a product called JCSI Single Sign-On that
              should provide the authentication support for Windows clients based on the Active
              Directory. If I understand it well. The browser (IE) will send a Kerberos ticket
              to the server (SPNEGO) and the server will consider it as a authenticated principal.
              However I don't know anything more at this moment.
              If you find someting out, let us pls. know.
              Zdenek
              "Ali" <[email protected]> wrote:
              >Hi Expert
              >
              >I want to code a program which ask for my user id and password and then
              >authenticate it from my NT domain, mean am I a valid user or not ? If
              >yes
              >then is my password correct ?
              >
              >Any one who can give me some help to start ? can a servlet do this all
              >stuff
              >for me ?
              >
              >Any help will be appreciated.
              >Thanks
              >
              >-- Ali
              >
              

  • Authentication against 2000 domain server

    Is ther any way to authorize client using it's logon information, using the same domain server than the one used for login pourposes
    Thanks in advance

    Cisco Secure ACS 2.6 or higher should accomplish this for you.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/jacsb26.htm

  • How do you selectively disable users validated by nt domain?

    We are validating our sw vpn users on our 3030 via nt domain. Therefore there are no individual userids.
    How can we selectively disable certain users? e.g. A few office workers not allowed to come in from home.
    If this were Windows / RAS we could uncheck the dialin box on their user profile - is there some similar setting within Windows for sw VPN users?
    Or even better, are these domain authenticated users authenticated against any particular nt group, from which we could then remove them?

    With NT Domain Authentication, what you are trying is not possible. What you need to do is to configure the concentrator to use Radius. You could refer to http://www.cisco.com/warp/public/471/cisco_vpn_msradius.html and http://www.cisco.com/warp/public/471/vpn3k_ias.html for more configuration information.

  • ACS 5.1 Authentication against AD problem

    I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
    ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
    I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
    The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
    show logging application acs reveals the following:
    ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
    password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
    I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
    Any ideas on what might be the cause, and how I can fix this?
    Thanks!

    Hello,
    It is complicated to explain this rule but hopelly you will understand.
    I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
    Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
    To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
    Regards,
    Sebastian Aguirre

  • Oracle Database Authentication against Microsoft Active Directory

    Hello
    Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
    My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
    So my questions are
    1. Is it possible to authenticate users against AD without the implementation of OID?
    2. Is there documentation someone has or can point me to that outlines the required steps?
    3. Anything I should know?
    I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
    Thanks.

    Sure, two methods to auth from Oracle DB to MSAD:
    OID and OVD
    I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
    Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
    And this would be what the EUS config should look like:
    http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
    If you've done everything in the first doc...
    Hope this answers your questions.

  • ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

    Hello
    We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
    Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
    Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

    Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
    Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
    http://technet.microsoft.com/en-us/library/cc772007.aspx
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Anybody done USERID/PASSWORD authentication against aWindows NT Domain

    I think I'll have to write a C++ Program to the WinNT API to do it
    (LogonUser). Then I'll wrap it with a service object for authentication. Has
    it been done before? Or something similar? We want to validate users against
    a WindowsNT Server DOMAIN.
    -martin ([email protected])

    Hi Martin & All,
    Yes you are right, wrap the API in C++/C then write a PEX file for interface to Fort&eacute; and use the method to invoke the WinNT API authentication. Do not forget to validate the return values from the methods. They are very crucial in handling exceptions etc., in forte.
    I've done the same to provide the mail user authentication in MAPI API wrapper for Fort&eacute;.
    Is this what you looking for????
    Regards,
    Sivaram S Ghorakavi mailto:[email protected]
    International Business Corporation http://www.ibcweb.com/
    From: Martin G Nystrom
    Sent: Wednesday, November 26, 1997 1:53 PM
    To: [email protected]
    Subject: Anybody done USERID/PASSWORD authentication against a Windows NTDomain?
    I think I'll have to write a C++ Program to the WinNT API to do it
    (LogonUser). Then I'll wrap it with a service object for authentication. Has
    it been done before? Or something similar? We want to validate users against
    a WindowsNT Server DOMAIN.
    -martin ([email protected])

  • "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

    I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
    1st Error (from administrative events):
    The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
    Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
    Tried so far:-
    - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
    2nd Error (from application server):
    DistributedCOM error
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    {000C101C-0000-0000-C000-000000000046}
     and APPID 
    {000C101C-0000-0000-C000-000000000046}
     to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
    https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
    Other Fixes I tried
    - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
    loading up using w3wp.exe from processes. 
    Concern
    - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

    Hi Kpdn, 
    Thanks for your post.
    All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • How can I tell if a user has already authenticated against AD?

    Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
    We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
    This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
    Any tips would be very welcome,
    Mark

    You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
    There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
    at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
    Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
    Good luck.

Maybe you are looking for