Friday, April 8, 2011

UserProxy Class and ADAM / LDS

In this blog post I will be talking about the UserProxy Class which is used to create UserProxy Objects in ADAM / LDS Partitions.

ADAM = 2003 and prior name
LDS = Windows Server 2008 name
ADAM = Active Directory Application Mode
LDS = Lightweight Directory Service

They are both the same thing!

For LDS to forward authentication requests onto Active Directory we need to use UserProxy objects. These are objects get created in an application directory partition within an LDS instance.

In LDAP sense connecting to a database/object is often referred to as binding.

ProxyObjects allow you to use bind redirection, ADAM can accept and process bind requests to an ADAM proxy object that contains as one of its attributes the security ID (SID) from an Active Directory security principal. With ADAM, you can use bind redirection to provide Active Directory users with access to both ADAM data and Active Directory data, using Active Directory domain credentials as a single sign-on (SSO). In addition, you can use ADAM proxy objects to store user data that is specific to a particular application in ADAM, while using Active Directory to store more widely used directory data.

Bind redirection enables a user to bind to ADAM by means of a simple bind while still using Active Directory credentials. Other types of binding with Active Directory credentials work without requiring a proxy, but a simple bind does not. Proxy binding works only for a simple bind.

The ADAM .ldf files, which you can import into the ADAM schema during ADAM setup, contain an object definition for the object userProxy, which can be used for bind redirection. This object contains attributes that include a distinguished name and a SID. By creating a userProxy object in ADAM—specifying a distinguished name to be used for binding—and by using a valid SID from an Active Directory user account, you can bind to ADAM using bind redirection.

There are 4 "types" of users class objects provided by Microsoft:
- InetOrgPerson (the universal standard for LDAP users)
- User (the Microsoft standard lol)
- Organizational-Person (I have never used this)
- UserProxy

There are three default LDF files which you can use to create the userProxy class object in the ADAM/LDS Instance schema. These all exist in the default ADAM folder in your ADAM installation. These LDF files are the ones I was referring to above.

MS-UserProxy.ldf - contains the definitions for the userProxy class only.
MS-InetOrgPerson.ldf - Contains the definitions for all user classes including InetOrgPerson, User, Organizational-Person and userProxy.
MS-User.ldf - Contains definitions for all user classes excluding the InetOrgPerson class.

When would you want to use a userProxy object. Well you may have an external company that has an application that needs to authenticate with objects (such as users) in your Active Directory domain. Creating userProxy objects allows you to have ADAM authenticate logon credentials using AD usernames and passwords from the a domain controller without the application connecting to a domain controller. userProxy objects are very similar to AD and ADAM User objects except they do not store passwords and has an objectSID attribute that contains the SID from the linked AD User object. The SID of the userProxy object matching the User object in Active Directory is key - this is how the proxy works!

You can create userProxy objects using ADSIEdit console or using command line tools however this can be tedious. You can do this automatically for all users in an AD domain partition if you setup something like ADAMSync to synchronize. If you are preparing to use ADAMSync you need to perform the schema expantions on the ADAM partition for ADAMSync to work. You also must import the same Schema extension as your AD FFL to ensure all attributes you wish to sync exist in the ADAM instance schema. There are templates for this in the ADAM folder such as MS-AdamSchemaW2K3.LDF which is the 2003 FFL (Forest Functional Level) schema. When performing syncronization you create an LDAP configuration file which states exactly which attributes will be synced.

By default a SSL certificate required when using Userproxy objects however you can modify this by editing the configuration partition:

CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration

Change the Attribute RequiresSecureProxyBind from 1 to 0.

The reason it requires SSL by default is to encrypt the user and password information when being transmitted. ADAM does not support kerberos v5, so you must use Secure LDAP (LDAP with SSL Certificate) to protect information. You can use self signed certificates using something like selfssl.exe from the IIS Resource Kit or an internal PKI... or even public if you wish to spend money.

To be able to create UserProxy objects we must extend the ADAM schema to ensure the UserProxy class exists. Objects are created from Class objects.

One more thing, if your going to use userProxy, make sure the ADAM server is a member of the domain that trusts the AD users matching the SIDs in the userProxy objects. If the ADAM server is not a member of the domain they won't work as bind proxies as bind proxies rely on the underlying Windows security infrastructure to be able to forward the authentication to Windows/AD.

What happens if there is more then one domain? The ADAM server can only be a member of one domain! Will userProxy be able to forward authentication requests on to the appropriate domain over the trust links?

The answer is yes, user proxy objects can forward authentication requests over forest trusts, parent child trusts and tree root trusts.

I hope you have learnt something today, I have! Tip:

Buy Brian Desmonds [MVP - Directory Services] book, Active Directory forth edition. Its an awesome read:


  1. Hi,

    installing and configuring active directory light weight service - windows server 2008 r2 step by steps