Re: accessing users' email from Active Directory

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Mar 2006 17:04:03 -0600

Your code uses "serverless binding", in that it does not supply a server or
domain name in the binding string. You have LDAP://<SID=xxxx>. A path with
a server name might look like LDAP://domain.com/<SID=xxxx>.

Serverless binding is cool, but it only works if the current security
context (WindowsIdentity.GetCurrent().Name) is a domain account. If it is a
local machine account, it fails. Anytime you supply a domain name hint or a
full domain controller name, you can work around this.

The other issue though is that you also need a domain security context to
access the directory if you don't supply credentials. If the current
security is a local machine account, it is not very likely that it will be
able to log into AD.

You can always use the current user's security context to access AD (since
you have their WindowsIdentity) by enabling impersonation, but if they were
authenticated in IIS via IWA, you'll also need to implement Kerberos
delegation when the browser is on a different machine than the web server
and the domain controller is on a different server from the web server
(which I hope it is!).

Joe K.

"tMan" <tMan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:40CD40BD-F1C0-472E-9A42-F3EEC0349E06@xxxxxxxxxxxxxxxx

// ASP.NET 2.0, VS.NET 2005: (authentication mode = Windows) //
i'm trying to access/display current users' email from AD. works fine when
i
run it in debug mode. however, when i publish the website and access the
page, i get a "The specified domain either does not exist or could not be
contacted" error. anyone know the cause for this error?

Thanks
-tMan

code:
------
Dim de as new DirectoryEntry()
Dim userIdentity As System.Security.Principal.WindowsIdentity = _
CType(HttpContext.Current.User.Identity, _
System.Security.Principal.WindowsIdentity)
de.Path = "LDAP://<SID=" + userIdentity.User.Value + ">"
'de.Path = "LDAP://"; + ctx.UserDn
statusLabel.Text = de.Properties("mail").Value.ToString()

Prev by Date: Re: ActiveDirectoryMembershipProvider - IsInRole problem
Next by Date: RE: Asking again Can't get AspNetActiveDirectoryMembershipProvider
Previous by thread: Re: ActiveDirectoryMembershipProvider - IsInRole problem
Next by thread: Re: smart cards in asp.net
Index(es):
- Date
- Thread

Relevant Pages

security-basics Digest of: get.123_145
... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
(Security-Basics)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.backoffice.smallbiz)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.backoffice.smallbiz2000)
Re: << SBS News of the week - Sept 26 >>
... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
(microsoft.public.backoffice.smallbiz2000)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.windows.server.sbs)