none
How can I check what 3rd party applications are using LDAP/AD integration

    Question

  • Is there a way for me to increase logging so that I will be able to see what 3rd party applications are using LDAP/AD integration? We are looking to change our employee usernames so that they are uniform, but we don't have a list of all of the apps that are AD integrated. I'd also like to know if this will affect ADFS and our Office 365 implementation? I was thinking that we could also use wireshark to sniff the traffic, however i'm not sure how we would differentiate standard authentication vs a 3rd party application. Any advice will help, thanks.
    Saturday, December 3, 2016 1:32 AM

All replies

  • Hi Chris,

    let's break it down to small points so you can connect pieces together:

    a) we need to differentiate between applications using LDAP authentication and applications using LDAP queries

    b) by default all domain users are having permissions to run LDAP queries because by default all domain users have permission to read all AD objects

    c) I would say that the applications using LDAP authentication would be the standard most common apps like MS SQL, Exchange, sharepoint, IIS...basically everything could be doing AD authentication.

    d) I would say that apps using LDAP queries could be like exchange, sharepoint like some HR portals..

    by default there is no single solution that keep tracking of this inventory. I know some 3rd party privilege access management solutions with some features however I didn't use one myself.

    actually your target is no doubt challenging some how as it's same case for many organizations.

    wireshark will give you some raw traffic but it will also be challenging

    hope this helps and please let us know if you have any questions


    Thanks Mahmoud

    • Proposed as answer by Todd Heron Saturday, December 3, 2016 2:06 PM
    Saturday, December 3, 2016 4:12 AM
  • Most AD integrated applications would use Windows Integrated Authentication, where they retrieve the user information from Windows (I used to use the SystemInfo object for this). Then the application can query for group membership (if relevant) and other information like full name. Anyone can query AD, and all queries I am aware of use LDAP (or are converted into LDAP), but I have never seen a way to track this. If an application queries AD it will might do so as the user. However, many applications use a service account to run the related service, and this account could be used.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Saturday, December 3, 2016 1:33 PM
  • Active Directory Diagnostics logging may help you to know who is search what in AD

    http://www.windowstricks.in/2013/06/active-directory-troubleshooting-part1.html


    Regards www.windowstricks.in

    Sunday, December 4, 2016 6:38 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 9, 2016 5:53 AM
    Moderator