question

RambabuVegula-8734 avatar image
0 Votes"
RambabuVegula-8734 asked RambabuVegula-8734 commented

gmsa account to bind to Microsoft AD

Hi,

Currently we are using User DN and password to BIND to Microsoft AD with port 636 for secure connection.

We would like to use gMSA accounts to BIND instead of specifying the User DN and Password to eliminate the overhead of updating the credentials at regular intervals.
At a high-level the same way we use gMSA accounts to connect to Database with Database driver.

Is there a possibility to achieve this?

Regards,
Rambabu

windows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Rambabu,

Thanks for posting here.

Hope something here might be helpful.
https://community.splunk.com/t5/Security/how-to-bind-to-AD-using-MSAs/m-p/93151

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Best regards,
Hannah Xiong

0 Votes 0 ·

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered RambabuVegula-8734 commented

In theory yes.

But you cannot use a bind method that requires to provide a password. If you are using a DN it makes me think you are using a simple bind. gMSA account can't do a simple bind as they can do logons that require a password to be provided. You would have to change the way your application is working. If the application runs as a Windows service, you could configure the service to run with the gMSA and then have the code using GSSA-API (and Kerberos or NTLM) to bind to your domain controllers as opposed as a simple bind.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Piaudonn,

This helped us in starting our research towards enabling Kerberos in our application.

Thank you for your response.

Regards,Rambabu

0 Votes 0 ·

Our application is interface between Web application and MS AD. We also need to get the group information for the user who logs into Web application in order to control the access to resources.

If we use NTLM or Kerberos, is it possible to get the Group Names the user is part of from MS AD along with the authentication performed successfully?

Or is there a way to get the bind done without providing the password(MS AD expects UserDN and Password for bind but we don't want to provide the credentials due to various reasons) just like we use gMSA accounts to connect to data base using database driver without password?

Regards,
Rambabu

0 Votes 0 ·
piaudonn avatar image piaudonn RambabuVegula-8734 ·

2 things

  1. You can do Kerberos (or NTLM) over LDAP. So you can still use LDAP if you wish, just changes the code made to the directory. Instead of using a simple bind, use the GSS-API and use an actual authentication protocol (LDAP is not an authentication protocol, although it could be used as such...).

  2. You don't need LDAP to get the current user group membership. It is in its Kerberos ticket. So if the user access an application and authenticate with Kerberos, the application has access to the groups without making any additional call (it works that way for more than 20 years actually).

Maybe you need to review the code at this point.


0 Votes 0 ·

Thank you for your valuable inputs.

Apart from LDAP, kerberos, NTLM is there any other way to connect to Active Directory and extract the users and groups?

Any pointers to documentation?

Regards,
Rambabu

0 Votes 0 ·