Re: WindowsTokenRoleProvider & Domain Groups

I see what you are doing. Coding to the membership APIs is probably you
best bet then as it gives your customers more flexibility.

The easiest way to get a DirectoryEntry from a SearchResult is just to call
GetDirectoryEntry. That's what I'd do.

You can also get the tokenGroups attribute from a SearchResult, but you have
to execute another search to do it, so it is easier just to use the
DirectoryEntry, as you need a DirectoryEntry pointing to the user itself to
use as the search root for the DirectorySearcher.

The reason for this is that tokenGroups is a special constructed attribute
that can only be requested when the scope of the query is "Base". When you
are searching the entire directory to find the user by their username, you
are doing a subtree query.

Under the hood, the DirectoryEntry fills its property cache by doing a base
level query to itself, so the net result is the same as if you did another
search with the DirectorySearcher.

Anyway, I hope this extra explanation is helpful and not distracting. :)

One other advantage to coding to the membership APIs is that it gives you
the ability to use ADFS as another way to sign into the application in the
future. This gives you a reasonable way to sell your app in the ASP model
where you host it yourself on the public internet and provide SSO back to
your clients. Your clients could also use this for SSO internally if they
are using ADFS.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:5C1DF7B4-F45B-42E9-A12B-44E0B4C7714B@xxxxxxxxxxxxxxxx
I don't understand why you need to use forms auth if you are going to use
AD
as the auth store. What's the point?

We install our software at client sites. Some of them have AD and want to
use it, and others don't. There is also a requirement to allow a single
installation to work in a 'mixed mode' (think SQL Server).

We also deal with confidential health care data, and need to make sure our
application can time out the user and force them to re-authenticate, not
just
let anyone who can access the machine launch the app.

The reason our clients are requesting support for AD as the auth store is
not to create a single sign-on environment, but only to allow our clients
to
centralize their user and group membership maintenance.

Hope that answers the question.

I've already got the code from the end of chapter 10 returning the list of
groups to which the user belongs. Very sweet. The one thing I haven't
quite
figured out all the way is that the RefreshCache needs to be called on a
DirectoryEntry object, but I've got a SearchResult object. What I'm doing
for
the time being at least is the following:

DirectoryEntry entry =
new DirectoryEntry(
ConfigurationManager.ConnectionStrings["ADService"].ConnectionString,
null,
null, AuthenticationTypes.Secure );

DirectorySearcher dsearch = new DirectorySearcher( entry );

string name = txtUserToFind.Text;

dsearch.Filter = "(&(sAMAccountType=805306368)(sAMAccountName="
+ name + "))";

SearchResult searchResult = dsearch.FindOne();

if( searchResult != null && searchResult.Properties.Contains(
"adspath" ) && searchResult.Properties["adspath"].Count > 0 )
{
DirectoryEntry user =
new DirectoryEntry(
searchResult.Properties["adspath"][0].ToString(), null, null,
AuthenticationTypes.Secure );

It may not be the most efficient approach in the world, but it seems like
it
would work in a wide range of (if not all) installations. I'll be going
out
after work today to try to find a copy of your book and see if I can find
a
more efficient way of getting the info I need from AD.


.

Relevant Pages

  • Re: C# and LDAP
    ... The SearchResult object's Properties collection should contain all of the data you need. ... It is good practice to only catch specific exception types that you can handle. ... But its taking quite some time inside the 'foreach' loop to get the DirectoryEntry for each searchresult. ... SearchResultCollection sResults = dSearcher.FindAll; ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Active Directory query doesnt work...
    ... about the usergroups an active-directory-user is member of. ... foreach (SearchResult table in search.FindAll()) ... using (DirectoryEntry user = sr.GetDirectoryEntry()) ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Active Directory query doesnt work...
    ... bool ergebnis = false; ... foreach (SearchResult table in search.FindAll()) ... using (DirectoryEntry user = sr.GetDirectoryEntry()) ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: LDAP and Organization group
    ... DirectoryEntry obj and pased the path, as well as username and pw to it. ... > specify credentials with your DirectoryEntry unless you want your password ... >> Dim searchResult As SearchResult ... >> Dim mySearchResultColl As SearchResultCollection ...
    (microsoft.public.dotnet.security)