Anyone that would like to explain a bit better the differences between AD/NT and LDAP Authentication against a Win2003 Domain Controller?
They seems really similar in functionality (they allow password expiration change, they allow single sign on, it's possible to create roles on domain/ldap groups and so on).
The only difference I saw is that using AD/NT I see traffic going to almost every DC in my Domain (but it seems it's not using the "right" on the site on which SA reside) while LDAP try to authenticate on defined ldap servers.
What's the real difference between them?
I saw that using AD/NT as primary authentication and RSA as secondary it use domain\user as <username> so RSA will not authenticate (checking on manual it seems I should use <NTUSER> instead of <USERNAME>).
There's any pro/con using AD/NT or LDAP?_
Solved! Go to Solution.
The answer to your question could be like a book in size.
LDAP is mainly used in case you want to do role mappings based on attributes in user accounts which is something you cannot do using AD as an authentication server. Please be sure to add the attributes you want to use or make sure they are in the LDAP Server catalog (Auth Servers > Your LDAP server > Server catalog option.) before using it in any of your role mapping rules.
What concerns your USER vs USERNAME : in every auth method the two are equal apart from LDAP where USER = DOMAIN\USERname (e.g. contoso\jdoe) and USERNAME = username (e.g. jdoe)
Thanks for the answer. So at the end it seems better to use LDAP
Just a little clarification regarding single sign-on... What happen in regard of it?
Does LDAP Authentication then work with Kerberos/NTLM Single Sign-ON on internal web sites and Windows File Shares?
Yes, if possible, LDAP is best.
SSO works without an issue to websites & file shares. The only thing that *may* change is if your login requires the domain to be specified you would need to provide it statically rather than have it included in the <USER> variable.