Hi,

I'm working on some Java code to change an AD user's password. From my
searching, it appears that if AD is on Win2K, that in order for this to
work, a secure connection, e.g., an SSL connection is necessary. I was
wondering if this is also the case with AD on Win2K3?

Thanks in advance!!

Jim

Yes, you have to establish a secure connection with AD (Port 636).

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ohaya" <ohaya@cox.net> wrote in message
news:ObCuXe45GHA.3920@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> I'm working on some Java code to change an AD user's password. From my
> searching, it appears that if AD is on Win2K, that in order for this to
> work, a secure connection, e.g., an SSL connection is necessary. I was
> wondering if this is also the case with AD on Win2K3?
>
> Thanks in advance!!
>
> Jim

Paul,

Thanks for the confirmation. When I was searching, I *thought* that I
had seen a post somewhere (I can't find it anymore :() that said that
this was something that had changed in Win2K3 (vs. Win2K).

In my testing here, I only have a Win2K AD, while our "production"
environment has a Win2K3 AD, so wanted to check. I guess I probably
really should stand up a Win2K3 AD for future testing :)...

Jim


Paul Bergson wrote:
> Yes, you have to establish a secure connection with AD (Port 636).
>

You need a minimum level of LDAP encryption, this can be satisfied with
128 bit SSL as well as kerberos session encryption on 2K and on K3 and
better you can NTLM session encryption.

For instance, my adfind can set a user password with LDAP as long as you
specify the -kerbenc switch which actually enables LDAP_OPT_ENCRYPT (see
the Session Options documentation on MSDN).

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


ohaya wrote:
> Paul,
>
> Thanks for the confirmation. When I was searching, I *thought* that I
> had seen a post somewhere (I can't find it anymore :() that said that
> this was something that had changed in Win2K3 (vs. Win2K).
>
> In my testing here, I only have a Win2K AD, while our "production"
> environment has a Win2K3 AD, so wanted to check. I guess I probably
> really should stand up a Win2K3 AD for future testing :)...
>
> Jim
>
>
> Paul Bergson wrote:
>> Yes, you have to establish a secure connection with AD (Port 636).
>>

Joe,

Thanks, as usual, for the info!!

Jim




Joe Richards [MVP] wrote:
> You need a minimum level of LDAP encryption, this can be satisfied with
> 128 bit SSL as well as kerberos session encryption on 2K and on K3 and
> better you can NTLM session encryption.
>
> For instance, my adfind can set a user password with LDAP as long as you
> specify the -kerbenc switch which actually enables LDAP_OPT_ENCRYPT (see
> the Session Options documentation on MSDN).
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> ohaya wrote:
>> Paul,
>>
>> Thanks for the confirmation. When I was searching, I *thought* that I
>> had seen a post somewhere (I can't find it anymore :() that said that
>> this was something that had changed in Win2K3 (vs. Win2K).
>>
>> In my testing here, I only have a Win2K AD, while our "production"
>> environment has a Win2K3 AD, so wanted to check. I guess I probably
>> really should stand up a Win2K3 AD for future testing :)...
>>
>> Jim
>>
>>
>> Paul Bergson wrote:
>>> Yes, you have to establish a secure connection with AD (Port 636).
>>>

I think joe means ADMOD and not ADFIND ;-)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:eWgAOBA6GHA.3732@TK2MSFTNGP05.phx.gbl...
> You need a minimum level of LDAP encryption, this can be satisfied with
> 128 bit SSL as well as kerberos session encryption on 2K and on K3 and
> better you can NTLM session encryption.
>
> For instance, my adfind can set a user password with LDAP as long as you
> specify the -kerbenc switch which actually enables LDAP_OPT_ENCRYPT (see
> the Session Options documentation on MSDN).
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> ohaya wrote:
>> Paul,
>>
>> Thanks for the confirmation. When I was searching, I *thought* that I
>> had seen a post somewhere (I can't find it anymore :() that said that
>> this was something that had changed in Win2K3 (vs. Win2K).
>>
>> In my testing here, I only have a Win2K AD, while our "production"
>> environment has a Win2K3 AD, so wanted to check. I guess I probably
>> really should stand up a Win2K3 AD for future testing :)...
>>
>> Jim
>>
>>
>> Paul Bergson wrote:
>>> Yes, you have to establish a secure connection with AD (Port 636).
>>>

Hehe. Good point, I don't know my own damn apps... ;o)

Though adfind has the -kerbenc switch as well, it doesn't change
anything. :)

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jorge de Almeida Pinto [MVP - DS] wrote:
> I think joe means ADMOD and not ADFIND ;-)
>