Re: Authenticate Against localhost and AD

From: Michał Januszczyk (MichaJanuszczyk_at_discussions.microsoft.com)
Date: 06/28/04 

Date: Mon, 28 Jun 2004 08:05:01 -0700

"Joe Kaplan (MVP - ADSI)" wrote:
> ASPNET can definitely talking to Active Directory. However, you may need to
> supply a domain controller name in your LDAP path as well as valid domain
> credentials depending on what you are binding to. If you just want to test
> user names and passwords via a DirectoryEntry bind, this will work fine.
> Make sure you use the LDAP provider though.

currently i'm using the following code to talk to DC:

string path = @"LDAP://CN=Users,DC=mydomain,DC=com";
DirectoryEntry entry = new DirectoryEntry(path, domainAndUsername, pwd);
DirectorySearcher search =null;
try
{
        // Bind to the native AdsObject to force authentication.
        Object obj = entry.NativeObject;
                ...
}

What can I change here to make ASPNET account to connect (and talk) to AD ?

> For authenticating against local machine accounts, the WinNT provider is not
> well suited for this as it has all sorts of problems binding with different
> credentials in the same process. It would probably be better to call the
> LogonUser API to test the user's credentials (although you'll need high
> privileges to call this API in Win2K). LogonUser can also validate domain
> credentials.

I cannot use LogonUser function since this would make the whole application working as another user for fraction of time. If the application would require to do something that the "curret account" cannot do, there would be an error. This is quite low probable, but may happen. I might use locking here, but i would have to enforce locking in many places in the application (the app stimultaneously serves many users)

> Instead of doing this authentication in code, is it possible for you to
> leverage IIS security to do this work for you?

I can not do that since I'm using forms authentication.
The application allows to use application-specific accounts
(if somebody does not want to use windows accounts), local machine
windows accounts (authentication code example has been provided),
and domain-wide accounts, if the machine is conected into domain.

Thank You
Michał

Relevant Pages

  • Re: Authenticate Against localhost and AD
    ... >> user names and passwords via a DirectoryEntry bind, ... credentials to ensure that they are not sent in clear text on the network. ... >> For authenticating against local machine accounts, ... but it can definitely be used as an authentication mechanism. ...
    (microsoft.public.dotnet.security)
  • Re: ADFS Development Issues
    ... Public Function IsUserAuthenticated(ByVal strAdPath As String, ... On Apr 22, 5:23 am, "Joe Kaplan" ... You can use that to build a directoryentry to use as the search root. ... user's credentials. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing Password to an account that has to change password at first logon using System.Director
    ... adding AuthenticationTypes.Secure to your DirectoryEntry constructor. ... Otherwise you are using simple bind and credentials are passed in clear text ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: DirectorySearcher Question
    ... your call to New DirectoryEntry, it will try to use the current credentials. ... Both machines have identical ... > This code works fine on the .NET Server machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: browsing AD with asp.net
    ... What do you need from IADsUser that you can't get from the DirectoryEntry? ... All the data is in the attributes if you know how to interpret it. ... constructor for DE that was used as the SearchRoot was done? ... using default credentials, then perhaps the current account in ASP.NET ...
    (microsoft.public.windows.server.active_directory)