Re: Active Directory Authentication in IIS 6
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Mar 2006 11:14:53 -0600
The parameter error could be Kerberos-related. What exact value are you
using for the path in this case? Is it possible that you are using the
incorrect DNS domain name in your path? Were you using the code I posted or
your own?
It could be Kerberos-related and it might have something to do with the
security settings in IIS6, but it might not too.
Joe K.
"P Webster" <NOSPAM_REMpdwebster4@xxxxxxxxxxxxx> wrote in message
news:OqaVpI2TGHA.6048@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the response Joe, but I am not able to get past the following
line...
Dim obj As Object = entry.NativeObject.
The error message is:
The parameter is incorrect
The Stack Trace is
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at
System.DirectoryServices.DirectoryEntry.Bind() at
System.DirectoryServices.DirectoryEntry.get_NativeObject() at
NMOWeb.FormsAuth.LdapAuthentication.IsAuthenticated(String domain, String
username, String pwd)
We just wanted to move this to a 2003 server, but it looks like we will
need to keep it on 2000 with IIS 5.1 until we can figure it out. The code
works flawlessly on IIS 5.1. Does this have something to do with KERBEROS
or the security settings in IIS 6?
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:er77KV1TGHA.5148@xxxxxxxxxxxxxxxxxxxxxxx
It isn't actually necessary to search the directory to find the user if
all you want to do is verify their credentials. A bind operation with
the DirectoryEntry is sufficient. I generally recommend people just bind
against the RootDSE object on the domain controller:
entry = New DirectoryEntry("LDAP://yourdomain.com/RootDSE","domain\user";,
"pwd", AuthenticationTypes.Secure)
Try
Dim obj As Object = entry.NativeObject
Return True
Catch Ex As COMException
'Make sure the HRESULT is actually "invalid credentials"
If Ex.ErrorCode <> &H8007052e Then Throw
Return False
Finally
If Not entry Is Nothing Then Entry.Dispose()
End Try
If you absolutely need to look up the user, you can.
It would be helpful to see the stack trace of the exception that is
thrown to see where the failure was as well.
Regarding authenticationtypes.None, don't use that with AD unless you add
SecureSocketsLayer. That forces an LDAP simple bind that passes your
credentials in plaintext on the network. Badness! "None" is often used
with ADAM to authenticate ADAM users, but it is still never secure unless
combined with some form of channel encryption.
AuthenticationTypes.Anonymous is not usually used with AD, as that
disables the Bind operation completely (which is exactly what you don't
want here since you need the bind to verify the credentials). In order
to use it, you must specify the credentials as empty strings. Note that
AD 2003 doesn't actually let you do anything unless you bind, so I would
not expect this to do you any good. It is mostly for use with non-AD
LDAP directories that allow anonymous searches.
There are tons of details about this stuff in my upcoming book (available
in May).
Joe K.
"P Webster" <NOSPAM_REMpdwebster4@xxxxxxxxxxxxx> wrote in message
news:OGkprbtTGHA.1576@xxxxxxxxxxxxxxxxxxxxxxx
We recently moved a web site that validated user credentials in Active
Directory from IIS 5.1 to IIS 6, and the validation code no longer
works.
The web.config file is set to Windows authentication because all we do
is
verify the user on the login form so we can redirect them to the
appropriate
page based on their group.
The code to authenticate is:
Public Function IsAuthenticated(ByVal domain As String, ByVal username
As
String, ByVal pwd As String) As Boolean
Dim domainAndUsername As String = domain & "\" & username
Dim entry As DirectoryEntry = New DirectoryEntry(_path,
domainAndUsername, pwd)
Try
'Bind to the native AdsObject to force authentication.
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & username & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If (result Is Nothing) Then
Return False
End If
'Update the new path to the user in the directory.
_path = result.Path
_filterAttribute = CType(result.Properties("cn")(0), String)
Catch ex As Exception
Throw New Exception("Error authenticating user. " & ex.Message &
"<BR>" & ex.StackTrace.ToString)
End Try
Return True
End Function
In IIS 6, we have tried all possible combinations of directory security.
When we first moved the site to IIS 6, an error was generated by the
above
code stating the parameter was incorrect, so we tried adding
AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
parameter for DirectoryEntry(... The result was a message returned as
"unknown user name or bad password. The user name and password entered
were
correct, so I don't understand why that error was generated.
Any ideas would be greatly appreciated.
Paul
.
- Follow-Ups:
- Re: Active Directory Authentication in IIS 6
- From: P Webster
- Re: Active Directory Authentication in IIS 6
- References:
- Active Directory Authentication in IIS 6
- From: P Webster
- Re: Active Directory Authentication in IIS 6
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Active Directory Authentication in IIS 6
- From: P Webster
- Active Directory Authentication in IIS 6
- Prev by Date: Re: Active Directory Authentication in IIS 6
- Next by Date: Re: Active Directory Authentication in IIS 6
- Previous by thread: Re: Active Directory Authentication in IIS 6
- Next by thread: Re: Active Directory Authentication in IIS 6
- Index(es):
Relevant Pages
|
