Re: LDAP - Error Obtaining Group Names
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Jan 2007 11:33:04 -0600
If you are interested in using the ActiveDirectoryMembershipProvider (which
is a good idea if you are using .NET 2.0 and doing forms auth but want to
authenticate against AD), it comes with ASP.NET, so I'd start with
documentation there. There are also some good books out there on it. It
isn't really my area of specialization, so I don't actually have any good
examples.
My co-author put together a somewhat experimental
"ActiveDirectoryRoleProvider" that uses LDAP to look up group membership and
plug that back into the role provider framework in order to compliment the
membership provider. For some reason, MS decided not to ship a matching AD
role provider with ASP.NET.
If you want some more details on the lower level stuff (actually use
System.DirectoryServices), there are some good resources at my book's
website (link below). Ch 10 (available as a free download from a link on
the main page) talks a lot about user management and has some good examples
of doing group membership expansion at the end. Ch 12 (not free, but in the
book) talks about authentication approaches. You can also steal all of the
code in various formats as a free download from the site. Those things
should help get you started into looking at various better solutions.
My other recommendation is to use integrated or basic auth in IIS with
ASP.NET and skip the forms auth altogether. You get much tighter
integration with AD this way and it all "just works" (no code). Your web
server must be a domain member though.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Kevin Humphreys" <KevinHumphreys@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:2CABAB76-81C1-4729-8926-68008C6CF84D@xxxxxxxxxxxxxxxx
Hi Joe,
Many thanks for your feedback on this.
I would really appreciate it if you can provide me some suggestions on
better ways to do this. I cannot see the newsgroup posts.
Do you have any information on the AD membership provider in .NET 2.0?
Best Regards,
Kevin Humphreys.
"Joe Kaplan" wrote:
My guess is that the current security context (however you have that
defined
in your app) cannot connect to AD itself, so when you try to build a
DirectoryEntry to use as your SearchRoot for the DirectorySearcher, the
bind
fails. You could get around this by supplying the same credentials you
used
for the DirectoryEntry for the authenticate function in the GetGroups
function. An even simpler idea would be to combine both of them together
and just add memberOf to PropertiesToLoad for the initial
DirectorySearcher.
That said, I hate this KB article and have commented many times on its
lack
of quality. The technique they show for authentication does not scale
and
does not work with multiple domains and does more than just verify the
credentials, which is all an authentication function should do. Their
group
extraction code is naive and misses nested groups while including
non-security (distribution) groups. I've suggested numerous better ways
to
do this stuff in previous newsgroup posts and have written about a bunch
of
these topics in my book as well.
I also recommend using the AD membership provider in .NET 2.0, if
necessary
adding in an LDAP-based role provider.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Kevin Humphreys" <KevinHumphreys@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:3B7A7EF4-B488-4558-A9D8-3AC934995BE7@xxxxxxxxxxxxxxxx
Hi There,
I am having trouble obtaining the group information for authenticated
AD
user.
I followed the procedure from the article below.
http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3b326340
The AD Authentication works beause all works when I comment out
Dim groups as string = adAuth.GetGroups() in the Login_Click section.
However if I try to execut the line above I get the following error
"Error authenticating. Error obtaining group names. An operations error
occurred"
Any help is appreciated here to try and resolve this.
Thanks In Advance,
Kevin Humphreys.
.
- References:
- Re: LDAP - Error Obtaining Group Names
- From: Joe Kaplan
- Re: LDAP - Error Obtaining Group Names
- From: Kevin Humphreys
- Re: LDAP - Error Obtaining Group Names
- Prev by Date: Re: LDAP - Error Obtaining Group Names
- Next by Date: When CreateUserWizard automaticaly login on?
- Previous by thread: Re: LDAP - Error Obtaining Group Names
- Next by thread: When CreateUserWizard automaticaly login on?
- Index(es):
Relevant Pages
|
