Re: Query AD using Integrated Authentication?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/27/04 

Date: Tue, 27 Jul 2004 15:24:11 -0500

You don't have a password with integrated auth, so essentially, you are
trying to do a bind with a username and a blank password. That won't work
for sure and if you try it very often, you'll lock out that poor user.

The way you have to do this with WIA is to impersonate the logged on user
(via your web.config) and don't supply any credentials. Then, ADSI will use
the credentials of the current security context (the user you are
impersonating) to contact AD.

The trick here is that if the AD server is on a different machine (very
likely), you'll need to Kerberos Delegation to get this impersonation to
work. Read these articles:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Good luck,

Joe K.

"Dave" <Dave@discussions.microsoft.com> wrote in message
news:0FAA654B-B390-416D-99F8-18F0E39D226C@microsoft.com...
> Hi,
>
> I want to query AD for user's information once they are logged in.
>
> Under Basic authentication, this worked fine using the code below.
>
> However, when I switched to Integrated for an intranet site, the FindOne()
bombs with "Logon failure: unknown user name or bad password". I don't know
how to pass the username/password information while using Integrated
Security. Is there a way to do this?
>
> System.DirectoryServices.DirectoryEntry entry = new
System.DirectoryServices.DirectoryEntry("GC://mycompanydomain.com",
HttpContext.Current.Request.ServerVariables["AUTH_USER"],
HttpContext.Current.Request.ServerVariables["AUTH_PASSWORD"]);
> System.DirectoryServices.DirectorySearcher search = new
System.DirectoryServices.DirectorySearcher(entry);
>
> search.Filter = "(sAMAccountName=" + sSAMAccountName + ")";
> search.PropertiesToLoad.Add("sAMAccountName");
> search.PropertiesToLoad.Add("cn");
> search.PropertiesToLoad.Add("givenName");
> search.PropertiesToLoad.Add("sn");
> search.PropertiesToLoad.Add("mail");
> search.PropertiesToLoad.Add("telephoneNumber");
>
> System.DirectoryServices.SearchResult result = search.FindOne();
>
>

Relevant Pages

  • Re: file download
    ... The problem is impersonate got failure. ... after impersonate i writen the username, its shows the current username and ... Most likely they are in a folder that does not ... Noww when I click the download button, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Code works in Windows app. but not in ASP.Net
    ... The username format you are using should be fine. ... "The specified domain either does not exist or could not be contacted" ... you will be using the current security context in ASP.NET ... Dim srch As System.DirectoryServices.DirectorySearcher ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: how to pass nt password ?
    ... > f) the logonuser fucntion requires username, ... > Hope this explains why i want to pass my "password" onto other machines to impersonate. ... Services can have their own credentials. ... So long as the account exists on the local machine, ...
    (microsoft.public.dotnet.languages.vb)
  • Re: capture window username to imporsonate
    ... special account. ... imagine how insecure the system would be if any program ... at any time could read both the username and password. ... ASP.NET makes it relatively easy to impersonate the logged in user. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Uploading web service
    ... You can still impersonate, but use one account -- domain or local, which has ... > I am making a web service which accesses a shared directory on the netwoek ... > give the userName & password of an authenticated user, ...
    (microsoft.public.dotnet.framework.webservices)