Re: Authenticate Against localhost and AD
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/28/04
- Next message: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Previous message: Michał Januszczyk: "Authenticate Against localhost and AD"
- In reply to: Michał Januszczyk: "Authenticate Against localhost and AD"
- Next in thread: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Reply: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jun 2004 09:21:47 -0500
A couple of things:
ASPNET can definitely talking to Active Directory. However, you may need to
supply a domain controller name in your LDAP path as well as valid domain
credentials depending on what you are binding to. If you just want to test
user names and passwords via a DirectoryEntry bind, this will work fine.
Make sure you use the LDAP provider though.
For authenticating against local machine accounts, the WinNT provider is not
well suited for this as it has all sorts of problems binding with different
credentials in the same process. It would probably be better to call the
LogonUser API to test the user's credentials (although you'll need high
privileges to call this API in Win2K). LogonUser can also validate domain
credentials.
Instead of doing this authentication in code, is it possible for you to
leverage IIS security to do this work for you?
Joe K.
"Michal Januszczyk" <MichaJanuszczyk@discussions.microsoft.com> wrote in
message news:C10D63AA-6F9B-471A-AB7B-65B2EDF8EB55@microsoft.com...
> Hello.
>
> I've got the following problem:
>
> There is a web application (ASP.NET), that needs to
> authenticate users against local machine and Active Directory.
> By default, the application works as ASPNET account (Win2000, XP).
> When working on ASPNET account the apllication is able to do the
following:
>
>
> string path = "WinNT://" + Environment.MachineName + ",computer";
> DirectoryEntry entry = new DirectoryEntry(path, username, pwd);
> try
> {
> //force authentication
> Object o = entry.NativeGuid;
>
> //authentication succeeded
>
> }
> catch(...)
> {
> //authentication failed
> }
>
> Wnen run as ASPNET account, the code is able to work correctly.
> However, when run as SYSTEM account, exception is thrown
>
>
> I need to switch to system account, because I also need to authenticate
> users in Acitive Directory, and ASPNET this time cannnot connect to AD,
> whereas SYSTEM account can.
>
> So, currently I can authenticate users either in local system (when run as
> ASPNET) or in AD (when run as SYSTEM), bot not concurrently (i.e.
> I can not do this without restarting the process)
>
> SYSTEM ASPNET
> LOCAL USERS - +
> DOMAIN USES + -
>
>
> Questions:
> 1. Is there any way to grant local ASPNET account ability to connect to AD
?
> 2. Is there any way to allow SYSTEM account to authenticate users against
> local machine. (The inability seems ridiculous...)
> (Note: I cannot temporarily use impersonation [SYSTEM is granted right
to
> impersonate someone elese] to check credentials, since the application
is
> a muliti user system and the fraction of time the app would work as
somebody
> else (not system but e.g John.Smith ) would leed to errors. Ok, I
might
> lock entire application functionality when somebody performs logon
> but this would be hugely ineffective and would require to redesign
> plenty of code. (The application is pretty complex))
>
>
> Thanks for help
> Michal
- Next message: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Previous message: Michał Januszczyk: "Authenticate Against localhost and AD"
- In reply to: Michał Januszczyk: "Authenticate Against localhost and AD"
- Next in thread: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Reply: Michał Januszczyk: "Re: Authenticate Against localhost and AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
