Re: Active Directory Authentication in IIS 6

---

• From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 24 Mar 2006 09:11:55 -0600

---

It isn't actually necessary to search the directory to find the user if all
you want to do is verify their credentials. A bind operation with the
DirectoryEntry is sufficient. I generally recommend people just bind
against the RootDSE object on the domain controller:

entry = New DirectoryEntry("LDAP://yourdomain.com/RootDSE","domain\user";,
"pwd", AuthenticationTypes.Secure)
Try
Dim obj As Object = entry.NativeObject
Return True
Catch Ex As COMException
'Make sure the HRESULT is actually "invalid credentials"
If Ex.ErrorCode <> &H8007052e Then Throw
Return False
Finally
If Not entry Is Nothing Then Entry.Dispose()
End Try

If you absolutely need to look up the user, you can.

It would be helpful to see the stack trace of the exception that is thrown
to see where the failure was as well.

Regarding authenticationtypes.None, don't use that with AD unless you add
SecureSocketsLayer. That forces an LDAP simple bind that passes your
credentials in plaintext on the network. Badness! "None" is often used
with ADAM to authenticate ADAM users, but it is still never secure unless
combined with some form of channel encryption.

AuthenticationTypes.Anonymous is not usually used with AD, as that disables
the Bind operation completely (which is exactly what you don't want here
since you need the bind to verify the credentials). In order to use it, you
must specify the credentials as empty strings. Note that AD 2003 doesn't
actually let you do anything unless you bind, so I would not expect this to
do you any good. It is mostly for use with non-AD LDAP directories that
allow anonymous searches.

There are tons of details about this stuff in my upcoming book (available in
May).

Joe K.

"P Webster" <NOSPAM_REMpdwebster4@xxxxxxxxxxxxx> wrote in message
news:OGkprbtTGHA.1576@xxxxxxxxxxxxxxxxxxxxxxx

We recently moved a web site that validated user credentials in Active
Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
The web.config file is set to Windows authentication because all we do is
verify the user on the login form so we can redirect them to the
appropriate
page based on their group.
The code to authenticate is:
Public Function IsAuthenticated(ByVal domain As String, ByVal username As
String, ByVal pwd As String) As Boolean
Dim domainAndUsername As String = domain & "\" & username
Dim entry As DirectoryEntry = New DirectoryEntry(_path,
domainAndUsername, pwd)
Try
'Bind to the native AdsObject to force authentication.
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & username & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If (result Is Nothing) Then
Return False
End If
'Update the new path to the user in the directory.
_path = result.Path
_filterAttribute = CType(result.Properties("cn")(0), String)
Catch ex As Exception
Throw New Exception("Error authenticating user. " & ex.Message &
"<BR>" & ex.StackTrace.ToString)
End Try
Return True
End Function

In IIS 6, we have tried all possible combinations of directory security.

When we first moved the site to IIS 6, an error was generated by the above
code stating the parameter was incorrect, so we tried adding
AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
parameter for DirectoryEntry(... The result was a message returned as
"unknown user name or bad password. The user name and password entered
were
correct, so I don't understand why that error was generated.

Any ideas would be greatly appreciated.

Paul

.

---

• Follow-Ups:
  • Re: Active Directory Authentication in IIS 6
    • From: P Webster

• References:
  • Active Directory Authentication in IIS 6
    • From: P Webster

• Prev by Date: Re: Forms Authentication and dynamic folders
• Next by Date: Re: Active Directory Authentication in IIS 6
• Previous by thread: Active Directory Authentication in IIS 6
• Next by thread: Re: Active Directory Authentication in IIS 6
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: LDIFDE Error when trying to change passwords. ... The SASL bind (with -b and specific credentials) is only needed if you don't ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.windows.server.active_directory) Re: Mixing authentication type flags & By design Bug from MS ? ... Additionally, if you want to force a Kerberos bind, you ... can specify Delegation in addition to Secure, ... That said, if you specify credentials, it should use the credentials you ... (microsoft.public.dotnet.security) Re: Problem in Change Password ! ... I did not say to bind with admin credentials, I said to bind with the user's ... server to another..... ... (microsoft.public.windows.server.active_directory) Re: LDAP ... LDAP protocol and the bind function to bind to AD to verify a user's ... separate account for this and what permissions it needs to query the ... what I was saying is that you don't need to query anything to ... do a bind to verify credentials. ... (microsoft.public.windows.server.active_directory) Re: ADAM Authentication ... Changing to simple bind seem to work. ... sUserName = "Mary Baker" ... Dim dsSystem As New DirectorySearcher ... authenticate, also will not authenticate using the "LDP" utility. ... (microsoft.public.windows.server.active_directory)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2006-03