How can I call Active Directory using Windows Authentication without prompting for username/password?

2
votes

You can see an example of accessing LDAP using the InitialLdapContext class in Java in the following posts:

http://forums.sun.com/thread.jspa?threadID=603815

http://forums.devshed.com/ldap-programming-76/active-directory-services-using-java-api-89586.html

This requires a login and password to be passed in (even though the service account or user running the java process has already logged in to be able to run).

As the user or service account is already logged in - they can already run active directory commands like the following without a user name or password:

dsquery user -samid "login" |dsget user -samid -email -display

So why does Java need the login password if this query is already available to Windows? Kosuke hints that it is not required in this blog post under conclusion:

https://community.oracle.com/blogs/kohsuke/2008/06/12/more-active-directory-integration-java

How can we call Active Directory in Java without:

  • using a login or password (running under an account that is already logged in)?
  • executing a command on the command line?
1
javacommand-lineactive-directorywindows-authentication

1 Answers

3
votes

This probably occurs because

  • You are using LDAP libraries/contexts to communicate with Active Directory, and these libraries need to support other types of LDAP (does AD even count as LDAP?)
  • The providers of these implementations are the ones requiring it. LDAP communication is done through providers that supply the implementation, it's not done by the actual Java runtime.
  • The current user's password is not (I hope) actually provided by Windows to Java.

When Windows authenticates you against AD as you run applications that require it, it presents some other set of credentials besides your actual password. These credentials are not available in Java, or at least none of the providers of LDAP communicators have provided a way to retrieve it.

In his other blog post on the subject Kohsuke expands a bit more on why things are the way they are in Java-land when it comes to Active Directory.