How can we improve Azure Active Directory?

← Azure Active Directory

Fix PAM API to not use impersonation for Active Directory

In some patch or another the PAM API was altered to call Active Directory in the callers contexts. Which for Constrained Delegation means you have to add the SPN for LDAP for all your domain controllers.

According to my brief read of the code it seems it only does this to... find the users expiration date.

For AD reads, use the service accounts identity, not impersonation.

Relevant blog post:
https://www.steadyblog.com/microsoft-identity-manager-sp1-pam-rest-api-requests-either-fail-with-http-404-or-500-when-calling-remotely/

1 vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Eirik Haver shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment

Azure Active Directory: Microsoft Identity Manager

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice