Active Directory Authentication

[Juice05]

I have an asp.net application (VB) that allows users to enter client information. Each user has different clients and each user shouldn't be allowed to see other user's clients. The application uses windows authentication.

Our Active Directory contains a field that I am querying to find out what program this user belongs to and by that I can tell what clients they should be able to view.

My problem is that I want to be able to use the windows authentication from the form to access/query the Active Directory. I am trying to accomplish this without using:

Dim myDirectory As New DirectoryEntry(<Path>, <HardcodedUserName>, <HardcodedPassword>)

If I need to explain in more detail or if the code would help please let me know.

Thanks in advance for your help.

 

[jbenson001]

Yes, you need to explain more.

 

[Juice05]

The application has users that belong to Programs. Each program has a list of clients that they server. Now, each user should only have access to the clients within their program.

I am using Windows Authentication to ensure that only employees have access to the application. Each employee has a value in the "office" field, referenced by "physicalDeliveryOfficeName" within the code below. In the code below I am using a username and password to gain access to the information within Active Directory. My question is, is there a way to use Windows Authentication to access the Active Directory information? If not, then how can I gain access without using a hard coded username and password?

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        'Put user code to initialize the page here
        Dim User As String = Request.ServerVariables("LOGON_USER")

        Dim Program As String = GetUserInfo(User, "physicalDeliveryOfficeName")

    End Sub


Public Function GetUserInfo(ByVal inSAM As String, ByVal inType As String) As String
        Try

            Dim sPath As String = "LDAP://<domain.com>/DC=<Domain>,DC=com"
            Dim SamAccount As String = Right(inSAM, Len(inSAM) - InStr(inSAM, "\"))
            Dim myDirectory As New DirectoryEntry(sPath, <hard coded username>, <hard coded password>)            Dim mySearcher As New DirectorySearcher(myDirectory)
            Dim mySearchResultColl As SearchResultCollection
            Dim mySearchResult As SearchResult
            Dim myResultPropColl As ResultPropertyCollection
            Dim myResultPropValueColl As ResultPropertyValueCollection
            'Build LDAP query
            mySearcher.Filter = ("(&(objectClass=user)(samaccountname=" & SamAccount & "))")
            mySearchResultColl = mySearcher.FindAll()
            'I expect only one user from search result
            Select Case mySearchResultColl.Count
                Case 0
                    Return "Null"
                    Exit Function
                Case Is > 1
                    Return "Null"
                    Exit Function
            End Select

            'Get the search result from the collection
            mySearchResult = mySearchResultColl.Item(0)

            'Get the Properites, they contain the usefull info
            myResultPropColl = mySearchResult.Properties

            'displayname, mail
            'Retrieve from the properties collection the display name and email of the user
            myResultPropValueColl = myResultPropColl.Item(inType)
            Return CStr(myResultPropValueColl.Item(0))

        Catch ex As System.Exception

            'do some error return here.
        End Try

 

[jbenson001]

I am not sure why this is a concern. But, no matter how you do it, you will need to specify a UN and PW in order to search the AD.

 

[Juice05]

My concern is putting a network username and password in a file that resides on the server. Why can't I get it to work with the username and password that is already there for Windows authentication.

Plus, if I put in a username and password, everytime the password is changed on that account I will have to change it in the code.

 

[jbenson001]

I can't answer that question. The constructor requires the UN and PW.

 

[raghu3]

I have done AD validation ... in c# with windows authentication.
My understanding is you can use windows authentication provided IIS access to these pages is not anonymous and not I_USER...
Your code must be inSync with the IIS settings. Here is a code snippet :

strDomainController="LDAP://" + strDC ;

filter="(&(&(objectClass=user)(SAMAccountName="+ uid.Trim() +")))";

// Connect
System.DirectoryServices.DirectoryEntry entry =
new System.DirectoryServices.DirectoryEntry(strDomainController);

// Search object
System.DirectoryServices.DirectorySearcher mySearcher =
new System.DirectoryServices.DirectorySearcher(entry);

// Search filters
mySearcher.Filter = filter;

mySearcher.SearchScope=SearchScope.Subtree;

SearchResult mySearchResult = mySearcher.FindOne();
if (mySearchResult != null ) {
// do processing
}

 

[Juice05]

I am trying to convert this to VB but am having some issues.

What do you mean by:

Your code must be inSync with the IIS settings.

 

[Juice05]

Your code works if I apply a username and password. If I don't then I return no results. How did you get

Your code must be inSync with the IIS settings.

 

[raghu3]

The way I tried was:
Turn off anonymous login to this site and use windows authentication instead. The only problem here was it will prompt user for login/pwd on nescape and firefox.
As as alternative to the prompts:
create an AD user for this purpose only. Create an application pool in iis for this user and use this application pool for all reads. Get the AUTH_USER/LOGON_USER server variable to get the userid.