Patrick Cauldwell's Blog - Integrating ADAM and AzMan

Wednesday, January 24, 2007

I'll post some code later on, but I wanted to make some quick points about integrating ADAM and AzMan. I'm in the midst of building an authentication/authorization system using the two technologies together, and have some across some stumbling blocks. There's not much documentation, particularly around AzMan, and the COM interfaces for AzMan can be a bit cumbersome.

Storing users in ADAM and authorizing them using ADAM requires Windows 2003 Server or Vista. There's no decent way to make this work on Windows XP. The necessary AzMan interface, IAzClientContext2, doesn't exist on XP. It's required for using a collection of user and group SIDs from ADAM to do access checks against AzMan. I'll post some code later...

IAzClientContext2 is also available on Vista, so Vista is also a viable dev platform.

There are some confusing interactions between the AzMan UI and the programmatic API. If you create a Role in the AzMan UI, but don't create a RoleAssignment, the programmatic call to IAzApplication2.OpenRole will fail. If you create the role assignment, but don't actually assign any users or groups to it, OpenRole succeeds. Conversely, if you call the programmatic IAzApplication2.CreateRole method and assign operations and users to the role in code, the RoleAssignment shows up in the UI, but not the Role itself.
If you assign an ADAM user to be a member of an AzMan group, it won't show up in the AzMan UI, but if you assign them directly to a Role, the ADAM user's SID will show up (as "unknown SID") under the RoleAssignment. Either way, the call to AccessCheck works correctly.
You must pass the complete list of group SIDs from ADAM, but fetching the user's "tokenGroups" property. Don't use "memberOf" because it doesn't take into account groups which belong to other groups.

More detail to come...

Wednesday, January 24, 2007 6:08:12 PM (Pacific Standard Time, UTC-08:00)

Disclaimer | Comments [2] | Related posts:
A new role
Configuring AD-LDS
Continuous Integration at SAO
Continuous Integration at SPIN
Code Leader is shipping
Firebug

Sunday, January 28, 2007 10:04:33 PM (Pacific Standard Time, UTC-08:00)

Hey Patrick,

Well, I am glad to see that someone else is slogging through this mess :) Misery loves company.

I have been trying various combinations of this technology myself for more than a week without 100% success. I am running ASP.NET 2.0 security on Windows XP SP2 for my dev box and have a Windows Server 2003 SP1 installation that has my ADAM and AzMan installations.

I am able to create /delete users and roles, but I cannot add a user to a role programatically. I get the error: "The directory property cannot be found in the cache." whenever I attempt the AddUserToRoles method. I found some relevant links, but I have to admit is a bit tough to follow: http://blogs.msdn.com/azman/archive/2006/05/06/591230.aspx.

I'll keep plugging and let you know if there is any breakthrough. I'll keep an eye on your blog as well to see if we can knock this one out!

Thanks,
Mike

Mike Danielski

Monday, January 29, 2007 3:29:14 AM (Pacific Standard Time, UTC-08:00)

What does the code look like? You're trying to add an ADAM user's sid to the Role, yes? When you get the ADAM user from the directory, are you specifically calling RefreshCache with named parameters? If not, try explicitly asking for the "objectSid" property. The error you are getting suggests that the property that you are trying to access hasn't been downloaded from the directory.
Hope that helps.

Patrick

Patrick

Comments are closed.

On this page....