Is there any security issue with allowing Anonymous LDAP operations to Active Directory as described in this MS article?
http://support.microsoft.com/kb/326690/en-us

thanks
John

There is information disclosure issues. Just enabling anonymous access
is the tip of what you have to do, you have to change ACLs or group
memberships to allow actual access to data. Once you do that you have
opened up the info your directory not only to the anonymous processes
you know about but all anonymous processes.

There is a reason that stuff is off by default...

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


John M wrote:
> Is there any security issue with allowing Anonymous LDAP operations to
> Active Directory as described in this MS article?
> http://support.microsoft.com/kb/326690/en-us
>
> thanks
> John

Let's look at this a different way. Why do you want to do this - what's the
business requirement?

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"John M" <sdkfj@microsoft.com> wrote in message
news:eAofUpl3GHA.4588@TK2MSFTNGP04.phx.gbl...
Is there any security issue with allowing Anonymous LDAP operations to
Active Directory as described in this MS article?
http://support.microsoft.com/kb/326690/en-us

thanks
John

We use an Oracle product called Express Analyzer. Sometimes the application
has problems logging into AD. Oracle support wants us to make this change.
My experience is that these Oracle 'support' people don't know anything
about Windows and even less about AD.

I don't understand how this would fix an intermittent problem with the
Oracle application. It should either read and authenticate with AD or not,
not most of the time and sometimes not work



Here is the mumbo jumbo from Oracle support about this.

" The message that Express is getting back from the operating system is a
Microsoft error that states:
ERROR_NO_SUCH_LOGON_SESSION
1312 A specified logon session does not exist. It may already have been
terminated.
Which could be that a user has indeed authenticated properly and now that
session is no longer in existence as far as the OS is concerned and
therefore the next time Express attempts to authenticate this user the
failure occurs. Since Express perform
s many more checks than just the one at session login time, to make sure the
user/session has rights to access a file or database object the 1312 message
could
appear at any time. "


Thanks

John

"Brian Desmond [MVP]" <brian@briandesmond.com> wrote in message
news:ewgAFjC4GHA.3428@TK2MSFTNGP05.phx.gbl...
> Let's look at this a different way. Why do you want to do this - what's
> the business requirement?
>
> --
> Thanks,
> Brian Desmond
> Windows Server MVP - Directory Services
>
> www.briandesmond.com
>
>
> "John M" <sdkfj@microsoft.com> wrote in message
> news:eAofUpl3GHA.4588@TK2MSFTNGP04.phx.gbl...
> Is there any security issue with allowing Anonymous LDAP operations to
> Active Directory as described in this MS article?
> http://support.microsoft.com/kb/326690/en-us
>
> thanks
> John
>

Turning on anonymous binds isn't going to fix that is my instinct. That's a
win32 error like they're trying to reuse an old token or something.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"John M" <sdkfj@microsoft.com> wrote in message
news:uZin%23Yb4GHA.2264@TK2MSFTNGP06.phx.gbl...
> We use an Oracle product called Express Analyzer. Sometimes the
> application has problems logging into AD. Oracle support wants us to make
> this change. My experience is that these Oracle 'support' people don't
> know anything about Windows and even less about AD.
>
> I don't understand how this would fix an intermittent problem with the
> Oracle application. It should either read and authenticate with AD or not,
> not most of the time and sometimes not work
>
>
>
> Here is the mumbo jumbo from Oracle support about this.
>
> " The message that Express is getting back from the operating system is a
> Microsoft error that states:
> ERROR_NO_SUCH_LOGON_SESSION
> 1312 A specified logon session does not exist. It may already have been
> terminated.
> Which could be that a user has indeed authenticated properly and now that
> session is no longer in existence as far as the OS is concerned and
> therefore the next time Express attempts to authenticate this user the
> failure occurs. Since Express perform
> s many more checks than just the one at session login time, to make sure
> the user/session has rights to access a file or database object the 1312
> message could
> appear at any time. "
>
>
> Thanks
>
> John
>
> "Brian Desmond [MVP]" <brian@briandesmond.com> wrote in message
> news:ewgAFjC4GHA.3428@TK2MSFTNGP05.phx.gbl...
>> Let's look at this a different way. Why do you want to do this - what's
>> the business requirement?
>>
>> --
>> Thanks,
>> Brian Desmond
>> Windows Server MVP - Directory Services
>>
>> www.briandesmond.com
>>
>>
>> "John M" <sdkfj@microsoft.com> wrote in message
>> news:eAofUpl3GHA.4588@TK2MSFTNGP04.phx.gbl...
>> Is there any security issue with allowing Anonymous LDAP operations to
>> Active Directory as described in this MS article?
>> http://support.microsoft.com/kb/326690/en-us
>>
>> thanks
>> John
>>
>
>

I concur. Oracle should fix it without requiring the MSFT security being
disabled. Alternately they can just admit they aren't Windows compatible.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Brian Desmond [MVP] wrote:
> Turning on anonymous binds isn't going to fix that is my instinct. That's a
> win32 error like they're trying to reuse an old token or something.
>