Wednesday, April 22, 2020

GC authentication and sql windows auth for wildfly and how to download cert from command window.


LDAP access on port 3268 to a local agency Global Catalog server will allow for searching the entire Forest for users. Below is an example in PowerShell. First if I use my local DC on the normal port 389 it will not return any user information for DC1, and just returns an error:

Get-AdUser -Server dc1.domain.com:389 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {UserPrincipalName -like "dc2user@domain.com"}


Get-AdUser -Server dc1.domain.com:389 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {SAMAccountName -like "dc2user"}

Get-AdUser : The supplied distinguishedName must belong to one of the following partition(s): 'CN=Configuration,DC=domain,DC=com , CN=Schema,CN=Configuration,DC=domin,DC=com, DC=dc2,DC=domain,DC=com
, DC=DomainDnsZones,DC=dc2,DC=domain,DC=com, DC=ForestDnsZones,DC=domain,DC=com'.
At line:1 char:1
+ Get-AdUser -Server dc1.domain.com -SearchBase 'DC=dc2,DC=domin,DC=com' -Fi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

However if I use it on the Global Catalog port, I can search dc2users (or indeed users anywhere in the Forest):

Get-AdUser -Server dc1.domain.com:3269 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {UserPrincipalName -like "dc2user@domain.com"}


Get-AdUser -Server dc1.domain.com:3269 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {SAMAccountName -like "dc2user"}


Global Catalogs allow you to get information about any user on the domain Forest without having to go to every single DC directly to do it. If you’re trying to do an LDAP integration that will work for users from multiple domains, using local GCs is the quickest and most reliable way to do it without having to add any extra logic to go to the correct DC.
-------------------------------------------------------------------------------------------------
SQL windows authentication 
1) put mssql-jdbc_auth-8.2.2.x64.dll and sqljdbc_auth.dll in wildflyhome\bin
2) <connection-url>jdbc:sqlserver://myserverurl;databaseName=mydb;integratedSecurity=true</connection-url>
     <security>
                <user-name></user-name>
                <password></password>
    </security>
----------------------------------------------------------------------------------------------------
keytool -printcert -sslserver ldapserver.domain.com:3269

openssl s_client -showcerts -connect ldapserver.domain.com:3269
cancel the popup window
the 64 base string will be within begin certificate and end certificate.
----------------------------------------------------------------------------------------------------
nltest /dclist:domain.div.com    get all names for dns
nslookup domain.div.com          get all ips for dns

netstat -a -o

dsa.msc 
dsquery server
-----------------------------------------------------------------------------------------


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)