LarmenDarnforth
Fri May 09 12:19:25 PDT 2008
Joe,
Thanks for your response. I appreciate it.
The CRAM-MD5 is actually coming from any one of a number of mail clients.
For example, Outlook->Tools->Accounts->Properties->Servers->My mail server
requires authentication->Use the same settings as my incoming mail server; in
this case I believe that the mail client provides the username and if the
CRAM-MD5 is offered provides the hashed password only. I did not sniff the
wire for the CRAM-MD5, but am presuming that the mail client (as is the case
generally) will not produce the password in cleartext if the CRAM-MD5 is
offered by the server.
The above is for Outlook 2000, but it's the same on other clients for SMTP
connections.
Exchange handles this situation, and it appears authenticates against AD
with only the hash.
I'll check the InitializeSecurityContext API docs and verify that the
CRAM-MD5 is what is used, but if you have any additional suggestions they'd
be greatly appreciated.
"Joe Kaplan" wrote:
> It seems like this should be possible, although it is definitely not
> possible via LDAP (S.DS) or any other .NET APIs that I know of.
>
> You might look at the API documentation for the DIGEST SSP (look at the
> InitializeSecurityContext API docs) to see if that might help (I have no
> idea if DIGEST is being used here or not). You might also look for other
> docs on CRAM-MD5.
>
> Where is the password hash coming from?
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
>
http://www.directoryprogramming.net
> --
> "Larmen Darnforth" <Larmen Darnforth@discussions.microsoft.com> wrote in
> message news:A7AADC11-CB73-41CE-BA67-A706642340D4@microsoft.com...
> > Joe,
> >
> > Thanks for your reply.
> >
> > On an SMTP server, where CRAM-MD5 is accepted, the server can authenticate
> > against AD, and the sending server only provides the hash. Wouldn't this
> > mean that there's a way to do this?
> >
> > Maybe there's no .net mechanism, but it appears that there should be some
> > way to do it.
> >
> > Thanks.
> >
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> No. There are no APIs that support this.
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >>
http://www.directoryprogramming.net
> >> --
> >> "Larmen Darnforth" <Larmen Darnforth@discussions.microsoft.com> wrote in
> >> message news:0AD400E6-B9FA-456E-87EE-13D1AFDC48C9@microsoft.com...
> >> > Is there any way to authenticate against AD with a user name and
> >> > password
> >> > hash (MD5) only? The code provided below authenticates with a
> >> > password,
> >> > but
> >> > unfortunately I only have the hash (it's provided by a connecting
> >> > system).
> >> >
> >> > Thanks in advance.
> >> >
> >> >
> >> >
> >> > private bool ActiveDirectoryAuthenticate(string userName, string
> >> > password, string domain)
> >> > {
> >> > bool isAuthentic = false;
> >> > try
> >> > {
> >> > DirectoryEntry entry = new DirectoryEntry("LDAP://" +
> >> > domain, userName, password);
> >> > object nativeObject = entry.NativeObject;
> >> > isAuthentic = true;
> >> > }
> >> > catch (DirectoryServicesCOMException)
> >> > {
> >> > }
> >> > catch
> >> > {
> >> > }
> >> >
> >> > return isAuthentic;
> >> > }
> >> >
> >>
> >>
> >>
>
>
>