Re: ADSI - Able to authenticate but unable to get memberOf informa

The DuplicateToken was left over from the impersonation (I orginally got it
from an example I found). I changed the logon type to Network, it works
great on my local box but now the LogonUser method returns false (when
deployed to the server in the DMZ).

Current clkLogin method -

protected void clkLogin(object sender, EventArgs e)
{
IntPtr iptrUserToken = IntPtr.Zero;
try
{
bool bAuthenticated =
LDAP.LogonUser(txtUserName.Text,
GatewayAdministrationWebConfig.AuthenticationDomain, txtPassword.Text,
LDAP.LogonSessionType.Network, LDAP.LogonProvider.Default, out
iptrUserToken);
if (!bAuthenticated)
{
return;
}
else
{
using (WindowsIdentity winIdentity = new WindowsIdentity(iptrUserToken))
{
IdentityReferenceCollection colRefIdentity =
winIdentity.Groups.Translate(typeof(NTAccount));
foreach (IdentityReference refIdentity in colRefIdentity)
{
if (refIdentity.Value.ToUpper().CompareTo([AD Group]) == 0)
{
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
txtUserName.Text,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false,
string.Empty);
string sTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie cookieTicket = new
HttpCookie(FormsAuthentication.FormsCookieName, sTicket);
Response.Cookies.Add(cookieTicket);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text, false));
break;
}
}
}
}
}
catch (Exception ex)
{
throw ex;
}
finally
{ // Free the tokens
if (iptrUserToken != IntPtr.Zero)
LDAP.CloseHandle(iptrUserToken);
}
}

"Joe Kaplan" wrote:

I don't understand why you are calling DuplicateToken. You don't need that,
do you? You also don't use the token for building the WindowsIdentity in
the code below, so that is a little strange.

I think the main problem is that you are using the NewCredentials logon type
here. That type of token only transitions to the user's token when you use
the network. For a local token, you should use Network logon type.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net

.

Relevant Pages

  • Re: Impersonation with users of 2 domain (nor trusted)
    ... try logon type interactive which defaults to a primary token, as I don't believe network allows access to network resources on another box even when converted to primary. ... public class Impersonation: IDisposable ... IntPtr userTokenDuplication = IntPtr.Zero; ...
    (microsoft.public.dotnet.framework)
  • Re: My Network Places and loss of access
    ... I'm a little confused since I'm not a network pro. ... The main one is running Windows XP ... problem until July 10th when security updates were installed by auto update. ... Sometimes the Logon Type is a 2 ...
    (microsoft.public.windowsxp.network_web)
  • Re: Security Event 529 is logged for a local user account
    ... When Windows XP Home are on the network and have network drives defined ... It is always the Logon Type 3 NtLmsp / NTLM and happens infrequently to ... Caller User Name: - ... Source Network Address: 192.168.16.106 ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Event 529 is logged for a local user account
    ... When Windows XP Home are on the network and have network drives defined ... It is always the Logon Type 3 NtLmsp / NTLM and happens infrequently to ... Caller User Name: - ... Source Network Address: 192.168.16.106 ...
    (microsoft.public.windows.server.sbs)
  • Re: How to raise rights...
    ... > I cannot use the SSPI login that you suggest, ... Especially when I start an OLE server to register ... Logon type has nothing to do with rights. ... The simplest check is to use regedit remotely ("Connect network ...
    (microsoft.public.win32.programmer.kernel)