What operational differences when use Active Directory Application Mode(AD/AM)?

O

Ohaya

Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory, and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint (both
administration and usage), what kinds of things will work differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
E

Eric Fleischman [MSFT]

(Cross posting to the 2003 AD newsgroup as that's typically where we find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste of the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas for
each domain you had you would need at least one server (DC) to host it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of ADAM with
ADAM users. So if you had an ADAM user and wanted to grant them access to a
file, strictly speaking, you can't do that. You would want AD for that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the recommended ADAM
useage scenario's.

~Eric
 
D

Dmitri Gavrilov [MSFT]

One thing to add: you can not impersonate an ADAM user in windows, so none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to access
data in ADAM -- but then you can't ACL adam objects for different adam
users..

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric Fleischman said:
(Cross posting to the 2003 AD newsgroup as that's typically where we find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste of the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas for
each domain you had you would need at least one server (DC) to host it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of ADAM with
ADAM users. So if you had an ADAM user and wanted to grant them access to a
file, strictly speaking, you can't do that. You would want AD for that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the recommended ADAM
useage scenario's.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


Ohaya said:
Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory, and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint (both
administration and usage), what kinds of things will work differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
O

Ohaya

Eric and Dmitri,

I am really new to this (just found out about the AD/AM bit recently).
Prior to that, I was very happy (dumb, but happy :)), getting AD,
Certificate Server, and IIS all working together nicely.

As some background (maybe somewhat redundant), I had things setup and
working so that I could issue/install client certs into client machines
using the Certsrv, and then had clients doing secure SSL connection with
IIS, and then had the session running/logged under the appropriate
Windows user name via the Active Directory Mapper.

In addition just the user authentication aspect of all this, since the
mapping to Windows users works the way it does, we got a nice audit
trail (in the IIS logs) of activity-by-individual-user.

Now, with the introduction of AD/AM into all of this (or replacement of
AD by AD/AM, I think), I'm trying to understand how to "replicate" the
functionality described in the above paragraph.

If I'm understanding your (esp. Dmitri's comments), if we move to
JUST/ONLY AD/AM, we should be able to still have the client
authentication functionality (since that's built-in to IIS, I guess),
but we wouldn't be able to have IIS impersonate a Windows user (at least
not without some ASP additional code specifically for this?).

And, more to the point, we wouldn't be able to JUST CONFIGURE IIS in
such a way that it would include the user name of the Windows user (that
is associated with the authenticated client certificate) in the IIS
logs. It seems like, in order to accommodate this, we'd have to
implement/incorporate our own (ASP) application-level logging.

Is my understanding of your comments accurate/correct?

Thanks again in advance!!!




Dmitri Gavrilov said:
One thing to add: you can not impersonate an ADAM user in windows, so none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to access
data in ADAM -- but then you can't ACL adam objects for different adam
users..

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric Fleischman said:
(Cross posting to the 2003 AD newsgroup as that's typically where we find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste of the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas for
each domain you had you would need at least one server (DC) to host it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of ADAM with
ADAM users. So if you had an ADAM user and wanted to grant them access to a
file, strictly speaking, you can't do that. You would want AD for that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the recommended ADAM
useage scenario's.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


Ohaya said:
Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory, and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint (both
administration and usage), what kinds of things will work differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
D

Dmitri Gavrilov [MSFT]

You mentioned "Windows user". You can't get rid of AD if you plan to keep
using Windows users. You can use ADAM to store some app data (even about
users), but you still need AD as the user store. ADAM supports
authentication of windows users (by forwarding auth requests to the OS).

If you need "nice audit logs" etc, then you need windows users. If you want
to auth with a client cert, you need to use windows users. Only simple bind
auth is supported for ADAM users. OS and IIS know nothing about ADAM and
ADAM users, thus they can't log ADAM users names.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Ohaya said:
Eric and Dmitri,

I am really new to this (just found out about the AD/AM bit recently).
Prior to that, I was very happy (dumb, but happy :)), getting AD,
Certificate Server, and IIS all working together nicely.

As some background (maybe somewhat redundant), I had things setup and
working so that I could issue/install client certs into client machines
using the Certsrv, and then had clients doing secure SSL connection with
IIS, and then had the session running/logged under the appropriate
Windows user name via the Active Directory Mapper.

In addition just the user authentication aspect of all this, since the
mapping to Windows users works the way it does, we got a nice audit
trail (in the IIS logs) of activity-by-individual-user.

Now, with the introduction of AD/AM into all of this (or replacement of
AD by AD/AM, I think), I'm trying to understand how to "replicate" the
functionality described in the above paragraph.

If I'm understanding your (esp. Dmitri's comments), if we move to
JUST/ONLY AD/AM, we should be able to still have the client
authentication functionality (since that's built-in to IIS, I guess),
but we wouldn't be able to have IIS impersonate a Windows user (at least
not without some ASP additional code specifically for this?).

And, more to the point, we wouldn't be able to JUST CONFIGURE IIS in
such a way that it would include the user name of the Windows user (that
is associated with the authenticated client certificate) in the IIS
logs. It seems like, in order to accommodate this, we'd have to
implement/incorporate our own (ASP) application-level logging.

Is my understanding of your comments accurate/correct?

Thanks again in advance!!!




Dmitri Gavrilov said:
One thing to add: you can not impersonate an ADAM user in windows, so none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to access
data in ADAM -- but then you can't ACL adam objects for different adam
users..

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric Fleischman said:
(Cross posting to the 2003 AD newsgroup as that's typically where we find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste
of
the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas for
each domain you had you would need at least one server (DC) to host it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of
ADAM
with
ADAM users. So if you had an ADAM user and wanted to grant them access
to
a
file, strictly speaking, you can't do that. You would want AD for that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the
recommended
ADAM
useage scenario's.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory, and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint (both
administration and usage), what kinds of things will work differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
O

Ohaya

Dmitri,

Thanks (I think :)!) for the confirmation.

I know that this is going to sound silly :(, but the situation is that
we are being forced to use ADAM (i.e., it is not my choice), as a kind
of "core directory" capability.

Given that situation, is there perhaps some way to populate the
"regular" AD from ADAM, automatically?

In other words, keep the ADAM and AD separate, but with a scenario
something like:

- Have ADAM include the Windows user name for each user
- Whenever an ADAM change is made, automatically update the AD with the
appropriate changes (e.g., when a new user added to ADAM (includes the
associated Windows user name), add the new Windows user to AD)
- Other than the above, keep AD and ADAM separate, and do the rest of
what we have now (client authentication with IS and client certs, and,
using Active Directory Mapper, map authenticated sessions to the Windows
user login) the way we do now.

Getting desparate here, I know :(!!!




Dmitri Gavrilov said:
You mentioned "Windows user". You can't get rid of AD if you plan to keep
using Windows users. You can use ADAM to store some app data (even about
users), but you still need AD as the user store. ADAM supports
authentication of windows users (by forwarding auth requests to the OS).

If you need "nice audit logs" etc, then you need windows users. If you want
to auth with a client cert, you need to use windows users. Only simple bind
auth is supported for ADAM users. OS and IIS know nothing about ADAM and
ADAM users, thus they can't log ADAM users names.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Ohaya said:
Eric and Dmitri,

I am really new to this (just found out about the AD/AM bit recently).
Prior to that, I was very happy (dumb, but happy :)), getting AD,
Certificate Server, and IIS all working together nicely.

As some background (maybe somewhat redundant), I had things setup and
working so that I could issue/install client certs into client machines
using the Certsrv, and then had clients doing secure SSL connection with
IIS, and then had the session running/logged under the appropriate
Windows user name via the Active Directory Mapper.

In addition just the user authentication aspect of all this, since the
mapping to Windows users works the way it does, we got a nice audit
trail (in the IIS logs) of activity-by-individual-user.

Now, with the introduction of AD/AM into all of this (or replacement of
AD by AD/AM, I think), I'm trying to understand how to "replicate" the
functionality described in the above paragraph.

If I'm understanding your (esp. Dmitri's comments), if we move to
JUST/ONLY AD/AM, we should be able to still have the client
authentication functionality (since that's built-in to IIS, I guess),
but we wouldn't be able to have IIS impersonate a Windows user (at least
not without some ASP additional code specifically for this?).

And, more to the point, we wouldn't be able to JUST CONFIGURE IIS in
such a way that it would include the user name of the Windows user (that
is associated with the authenticated client certificate) in the IIS
logs. It seems like, in order to accommodate this, we'd have to
implement/incorporate our own (ASP) application-level logging.

Is my understanding of your comments accurate/correct?

Thanks again in advance!!!




Dmitri Gavrilov said:
One thing to add: you can not impersonate an ADAM user in windows, so none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to access
data in ADAM -- but then you can't ACL adam objects for different adam
users..

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

(Cross posting to the 2003 AD newsgroup as that's typically where we find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste of
the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas for
each domain you had you would need at least one server (DC) to host it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients
joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of ADAM
with
ADAM users. So if you had an ADAM user and wanted to grant them access to
a
file, strictly speaking, you can't do that. You would want AD for that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the recommended
ADAM
useage scenario's.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory, and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint (both
administration and usage), what kinds of things will work differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
D

Dmitri Gavrilov [MSFT]

Take a look at MIIS (formerly known as MMS), it can do these things for you.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
 
O

Ohaya

Dmitri,

AHA! Thanks! This (MIIS) might be a bit much, but I think that it
points me in the right direction!



Dmitri Gavrilov said:
Take a look at MIIS (formerly known as MMS), it can do these things for you.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Ohaya said:
Dmitri,

Thanks (I think :)!) for the confirmation.

I know that this is going to sound silly :(, but the situation is that
we are being forced to use ADAM (i.e., it is not my choice), as a kind
of "core directory" capability.

Given that situation, is there perhaps some way to populate the
"regular" AD from ADAM, automatically?

In other words, keep the ADAM and AD separate, but with a scenario
something like:

- Have ADAM include the Windows user name for each user
- Whenever an ADAM change is made, automatically update the AD with the
appropriate changes (e.g., when a new user added to ADAM (includes the
associated Windows user name), add the new Windows user to AD)
- Other than the above, keep AD and ADAM separate, and do the rest of
what we have now (client authentication with IS and client certs, and,
using Active Directory Mapper, map authenticated sessions to the Windows
user login) the way we do now.

Getting desparate here, I know :(!!!




Dmitri Gavrilov said:
You mentioned "Windows user". You can't get rid of AD if you plan to keep
using Windows users. You can use ADAM to store some app data (even about
users), but you still need AD as the user store. ADAM supports
authentication of windows users (by forwarding auth requests to the OS).

If you need "nice audit logs" etc, then you need windows users. If you want
to auth with a client cert, you need to use windows users. Only simple bind
auth is supported for ADAM users. OS and IIS know nothing about ADAM and
ADAM users, thus they can't log ADAM users names.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric and Dmitri,

I am really new to this (just found out about the AD/AM bit recently).
Prior to that, I was very happy (dumb, but happy :)), getting AD,
Certificate Server, and IIS all working together nicely.

As some background (maybe somewhat redundant), I had things setup and
working so that I could issue/install client certs into client machines
using the Certsrv, and then had clients doing secure SSL connection with
IIS, and then had the session running/logged under the appropriate
Windows user name via the Active Directory Mapper.

In addition just the user authentication aspect of all this, since the
mapping to Windows users works the way it does, we got a nice audit
trail (in the IIS logs) of activity-by-individual-user.

Now, with the introduction of AD/AM into all of this (or replacement of
AD by AD/AM, I think), I'm trying to understand how to "replicate" the
functionality described in the above paragraph.

If I'm understanding your (esp. Dmitri's comments), if we move to
JUST/ONLY AD/AM, we should be able to still have the client
authentication functionality (since that's built-in to IIS, I guess),
but we wouldn't be able to have IIS impersonate a Windows user (at least
not without some ASP additional code specifically for this?).

And, more to the point, we wouldn't be able to JUST CONFIGURE IIS in
such a way that it would include the user name of the Windows user (that
is associated with the authenticated client certificate) in the IIS
logs. It seems like, in order to accommodate this, we'd have to
implement/incorporate our own (ASP) application-level logging.

Is my understanding of your comments accurate/correct?

Thanks again in advance!!!




:

One thing to add: you can not impersonate an ADAM user in windows, so
none
of IIS auth methods will work for ADAM users, because they involve IIS
thread impersonating a windows user. You can get around by carrying
username/pwd around (in a session var or a cookie), and use them to
access
data in ADAM with ADSI or LDAP. Or you can always use IIS account to
access
data in ADAM -- but then you can't ACL adam objects for different adam
users..

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

(Cross posting to the 2003 AD newsgroup as that's typically where we
find
ADAM posts)

It's tough to answer this in a quick post without doing a copy/paste
of
the
white paper, but a few thoughts off of the top of my head:

1) ADAM would have an independent schema from your existing AD
infrastructure
2) ADAM could have many instances running on a single server whereas
for
each domain you had you would need at least one server (DC) to host
it.
3) ADAM has bind redirection which is nice for some applications.

On the flip side, advantages of AD:
1) It is a full domain, full security principals, kerberos, clients
joining
the domain, etc.
2) Group policy.
3) A big thing to remember: you can *NOT* ACL resources outside of
ADAM
with
ADAM users. So if you had an ADAM user and wanted to grant them access
to
a
file, strictly speaking, you can't do that. You would want AD for
that.

From a pure LDAP/ADSI perspective, you'll find them similar I think.

Others will probably have other suggestions/thoughts on the matter.
I'd suggest checking out the white paper to see some of the
recommended
ADAM
useage scenario's.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights


Hi,

I have a Win2K3 Server system setup now, with IIS, Active Directory,
and
Certificate Server, and have been successful in issuing client
certificates from Certificate Server, and setting up IIS doing
client
authentication and using the Active Directory Mapping feature (so
sessions get logged in under Windows user names matching the client
certificates).

Now, I am looking into replacing Active Directory with the Active
Directory Application Mode (AD/AM). This would be a clean
installation
of Win2K3 Server.

I have just started to research this, but I was wondering what the
experience has been with AD/AM. From an operational standpoint
(both
administration and usage), what kinds of things will work
differently
when I use AD/AM vs. "regular" AD?

This would be for (purely) running a secure website (under IIS).

Thanks in advance!!!
 
O

Ohaya

Hi,

Sorry. The following:
But, I've also noted in my testing that if I remove ALL client
certificates from Users in Active Directory, but in the "Name Mapping"

SHOULD read:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top