Re: Active Directory Authentication in IIS 6

Thanks for the response Joe, but I am not able to get past the following
line...
Dim obj As Object = entry.NativeObject.

The error message is:
The parameter is incorrect
The Stack Trace is
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at
System.DirectoryServices.DirectoryEntry.Bind() at
System.DirectoryServices.DirectoryEntry.get_NativeObject() at
NMOWeb.FormsAuth.LdapAuthentication.IsAuthenticated(String domain, String
username, String pwd)

We just wanted to move this to a 2003 server, but it looks like we will need
to keep it on 2000 with IIS 5.1 until we can figure it out. The code works
flawlessly on IIS 5.1. Does this have something to do with KERBEROS or the
security settings in IIS 6?

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:er77KV1TGHA.5148@xxxxxxxxxxxxxxxxxxxxxxx
It isn't actually necessary to search the directory to find the user if
all you want to do is verify their credentials. A bind operation with the
DirectoryEntry is sufficient. I generally recommend people just bind
against the RootDSE object on the domain controller:

entry = New DirectoryEntry("LDAP://yourdomain.com/RootDSE","domain\user";,
"pwd", AuthenticationTypes.Secure)
Try
Dim obj As Object = entry.NativeObject
Return True
Catch Ex As COMException
'Make sure the HRESULT is actually "invalid credentials"
If Ex.ErrorCode <> &H8007052e Then Throw
Return False
Finally
If Not entry Is Nothing Then Entry.Dispose()
End Try

If you absolutely need to look up the user, you can.

It would be helpful to see the stack trace of the exception that is thrown
to see where the failure was as well.

Regarding authenticationtypes.None, don't use that with AD unless you add
SecureSocketsLayer. That forces an LDAP simple bind that passes your
credentials in plaintext on the network. Badness! "None" is often used
with ADAM to authenticate ADAM users, but it is still never secure unless
combined with some form of channel encryption.

AuthenticationTypes.Anonymous is not usually used with AD, as that
disables the Bind operation completely (which is exactly what you don't
want here since you need the bind to verify the credentials). In order to
use it, you must specify the credentials as empty strings. Note that AD
2003 doesn't actually let you do anything unless you bind, so I would not
expect this to do you any good. It is mostly for use with non-AD LDAP
directories that allow anonymous searches.

There are tons of details about this stuff in my upcoming book (available
in May).

Joe K.

"P Webster" <NOSPAM_REMpdwebster4@xxxxxxxxxxxxx> wrote in message
news:OGkprbtTGHA.1576@xxxxxxxxxxxxxxxxxxxxxxx
We recently moved a web site that validated user credentials in Active
Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
The web.config file is set to Windows authentication because all we do is
verify the user on the login form so we can redirect them to the
appropriate
page based on their group.
The code to authenticate is:
Public Function IsAuthenticated(ByVal domain As String, ByVal username As
String, ByVal pwd As String) As Boolean
Dim domainAndUsername As String = domain & "\" & username
Dim entry As DirectoryEntry = New DirectoryEntry(_path,
domainAndUsername, pwd)
Try
'Bind to the native AdsObject to force authentication.
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & username & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If (result Is Nothing) Then
Return False
End If
'Update the new path to the user in the directory.
_path = result.Path
_filterAttribute = CType(result.Properties("cn")(0), String)
Catch ex As Exception
Throw New Exception("Error authenticating user. " & ex.Message &
"<BR>" & ex.StackTrace.ToString)
End Try
Return True
End Function

In IIS 6, we have tried all possible combinations of directory security.

When we first moved the site to IIS 6, an error was generated by the
above
code stating the parameter was incorrect, so we tried adding
AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
parameter for DirectoryEntry(... The result was a message returned as
"unknown user name or bad password. The user name and password entered
were
correct, so I don't understand why that error was generated.

Any ideas would be greatly appreciated.

Paul






.

Relevant Pages

  • Re: Active Directory Authentication in IIS 6
    ... Dim obj As Object = entry.NativeObject. ... NMOWeb.FormsAuth.LdapAuthentication.IsAuthenticated(String domain, String ... need to keep it on 2000 with IIS 5.1 until we can figure it out. ... I generally recommend people just bind ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory Authentication in IIS 6
    ... Dim obj As Object = entry.NativeObject. ... String username, String pwd) ... need to keep it on 2000 with IIS 5.1 until we can figure it out. ... bind against the RootDSE object on the domain controller: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory Authentication in IIS 6
    ... Dim obj As Object = entry.NativeObject. ... NMOWeb.FormsAuth.LdapAuthentication.IsAuthenticated(String domain, String ... need to keep it on 2000 with IIS 5.1 until we can figure it out. ... bind against the RootDSE object on the domain controller: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • verify and delete mailitem
    ... If the string is not present, ... Public Sub Deletions() ... Dim obj As Object ... I love that you give us web sites to visit and ...
    (microsoft.public.outlook.program_vba)
  • Determining Word Versions (and what codes mean what version)
    ... Function WordVersion() As String ... Dim obj As Object ... Dim wdVer As String ...
    (microsoft.public.word.vba.general)
Quantcast