Re: Retrieving User's Groups from Active Directory using ASP.NET
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 09/28/04
- Previous message: L Magarian: "Re: Retrieving User's Groups from Active Directory using ASP.NET"
- In reply to: L Magarian: "Re: Retrieving User's Groups from Active Directory using ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Sep 2004 14:32:27 -0500
This is a security context problem that is very common in ASP.NET. It can
be rectified a number of ways, including using specific domains and
credentials in your DirectoryEntry objects or changing the identity that
ASP.NET is running under. There are more details here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Additionally, this is very bad approach for discovering a user's group
membership for security purposes. I know it is based on published MS
samples, but they are still bad. MemberOf includes non-security groups and
doesn't included nested group membership or the primary group.
Additionally, you shouldn't use the CN of the group name for security
purposes as a group with that name may exist in multiples containers.
Instead, you should use a domain unique security name such as the
samAccountName of the group.
The better approach is to look up group membership using tokenGroups. There
are numerous samples posted on the web and newsgroups that show how to do
this. A Google search will find them easily.
Joe K.
"L Magarian" <LMagarian@discussions.microsoft.com> wrote in message
news:A84183AC-B3D1-4818-A6C8-944AFDF445AB@microsoft.com...
> The error is: "The specified domain either does not exist or could not be
> contacted ", and is thrown by the FindOne() method.
> The path I'm using looks like LDAP://company.com/CN=My Name,OU=User
> Accounts,OU=Accounts,DC=company,DC=com
>
> This is the method I'm using to get the user's groups:
>
> public string GetGroups()
> {
> DirectorySearcher search = new DirectorySearcher(_path);
> search.Filter = "(cn=" + _filterAttribute + ")";
> search.PropertiesToLoad.Add("memberOf");
> StringBuilder groupNames = new StringBuilder();
>
> SearchResult result = search.FindOne();
> int propertyCount = result.Properties["memberOf"].Count;
> int equalsIndex, commaIndex;
>
> for( int i = 0; i < propertyCount; i++)
> {
> String dn = (String)result.Properties["memberOf"][i];
>
> equalsIndex = dn.IndexOf("=", 1);
> commaIndex = dn.IndexOf(",", 1);
> if (-1 == equalsIndex)
> {
> return null;
> }
> groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
> equalsIndex)
> - 1));
> groupNames.Append("|");
> }
> return groupNames.ToString();
> }
>
>
>
> "Paul Clement" wrote:
>
>> On Tue, 28 Sep 2004 01:51:03 -0700, "L Magarian"
>> <LMagarian@discussions.microsoft.com> wrote:
>>
>> ¤ I'm using forms based authentication and LDAP to authenticate a user
>> against
>> ¤ Active Directory. This is working fine.
>> ¤
>> ¤ The point where I'm stuck is retireving the groups this user is
>> assigned.
>> ¤
>> ¤ My web server and active directory servers are different machines.
>> When I
>> ¤ test by deploying the web app on the active directory machine it does
>> work.
>> ¤ However, I will not be able to employ this work around in the
>> production
>> ¤ setting.
>> ¤
>> ¤ Can anyone advise me as to how retrieve these user groups?
>> ¤
>> ¤ Are there special settings for searching the Active Directory when
>> running a
>> ¤ web app off a different server?
>>
>> Could you indicate what type of error you are receiving and identify the
>> line of code where it
>> occurs?
>>
>>
>> Paul ~~~ pclement@ameritech.net
>> Microsoft MVP (Visual Basic)
>>
- Previous message: L Magarian: "Re: Retrieving User's Groups from Active Directory using ASP.NET"
- In reply to: L Magarian: "Re: Retrieving User's Groups from Active Directory using ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
